0

Here is a login page I have been working on for a while, what do you think ?
It automatically strips "user input" of all special characters.

<html>
<title>Login Page</title>
<head>
    <style type="text/css">
    body {
        text-align:center;
         }
    </style>
</head>
<?php
include "sql.php";
$me =  $_SERVER['PHP_SELF'];

function check($v){
return isset($_POST[$v]);
}

function strip ($str){
return preg_replace('/[^A-Za-z0-9_]/', " ", trim($str) );
}

function test($col,$val){
global $sql, $table; 
$tst = mysqli_query($sql,"SELECT ".$col." FROM ".$table." WHERE ".$col."='".$val."'");
if (mysqli_fetch_array($tst) ){
 return true;
}
else{
return false;
}}

 function verify ($imp){
     $imp1 = strip($imp);
     if ($imp == $imp1){
     return true;
     }
     else{
     return false;
     }}

function button ($txt,$set){
global $me;
 echo '<form action="' . $me . '" method="POST">
  <input type="submit" name="'.$txt.'" value="'.$set.'">
  </form>';
}
// End Of Declarationns     
    if (isset($_COOKIE["ID"])){
    $result = mysqli_query($sql,"SELECT ID FROM ".$table." WHERE ID='".strip($_COOKIE["ID"])."'");
    if (mysqli_fetch_array($result)){
        $temp = mysqli_fetch_assoc(mysqli_query($sql,"SELECT Game_Name FROM ".$table." WHERE ID='".strip($_COOKIE["ID"])."'") );
        echo "Welcome " . $temp["Game_Name"] . " !<br>";
    }
    else{
    unset($_COOKIE["ID"]);
    }}

    if (!check("Sign_Up")  and !check("Sign_In") and !check("Su_User_Name") and !check("Si_User_Name")){
    echo "<b>Welcome! Please sign in or sign up !<br></b></ceter>";
    button("Sign_In","Sign In");
    button("Sign_Up","Sign Up");
    }

    if (check("Sign_In") ) {
echo '<b>Please sign in here.</b></cemter><br><form action="' . $me . '" method="POST">
<br>User Name: <input type="text" name="Si_User_Name">&nbsp;
  Password: <input type="text" name="Si_Password">&nbsp;
  <button type="submit">Submit !</button>
  </form><br>';
    }

    if (check("Sign_Up") ) {
    echo '<b>Please do not use special characters.<br>Letters, numbers and _ allowed.<br>Lenght must be longer than 4 characters.<br></b><form action="' . $me . '" method="POST">
<br>User Name: <input type="text" name="Su_User_Name">&nbsp;
  Game Name: <input type="text" name="Su_Game_Name"> &nbsp;
  Password: <input type="text" name="Su_Password">&nbsp;
  <button type="submit">Submit !</button>
  </form><br>';
    }

    if (check("Su_User_Name") and check("Su_Game_Name") and check("Su_Password") ){
     if (!verify($_POST["Su_User_Name"]) or !verify($_POST["Su_Game_Name"]) or !verify($_POST["Su_Password"]) or strlen($_POST["Su_User_Name"]) < 5 or strlen($_POST["Su_Game_Name"]) < 5 or strlen($_POST["Su_Password"]) < 5 ) {
      echo "<h3><b>Letters, numbers and _ only. Lenght must be greater than 4 characters.</b></h1><br>";
      button("x","<-- Back");
     }
     else{
      if (test("Login_Name",$_POST["Su_User_Name"]) ){
      echo "<b>User name taken.<br></b>";
      button("x","<-- Back");
      }
      elseif(test("Game_Name",$_POST["Su_Game_Name"]) ){
       echo "<b>Game name taken.<br></b>";
       button("x","<-- Back");
      }
      else{
      $x = "1234567890abcdefghijklmnopqrstuvwxyABCDEFGHIJKLMNOPQRSTUVWXYZ";
      $x2 = '';
        for ($i = 0; $i < 21; $i++) {
            $x2 .= $x[rand(0, strlen($x) - 1)];
      }
      mysqli_query($sql,"INSERT INTO ".$table." (Game_Name,Login_Name,Blarg,ID)VALUES('".$_POST["Su_Game_Name"]."','".$_POST["Su_User_Name"]."','" .$_POST["Su_Password"]."','".$x2."')");
      echo "<b>Account created !<br></b>";
      $temp = mysqli_fetch_assoc(mysqli_query($sql,"SELECT * FROM ".$table." WHERE ID='".$x2."'") );
      setcookie("ID",$temp["ID"], time()+3600);
      button("x","<-- Back");

      }
     }
    }

    if (check("Si_User_Name") and check("Si_Password") ) {
    $tmp1 = strip($_POST["Si_User_Name"]);
    $tmp2 = strip($_POST["Si_Password"]);
      if (test("Login_Name",$tmp1) and test("Blarg",$tmp2) ){
      echo "<b>Logged in !<br></b>";
      $temp = mysqli_fetch_assoc(mysqli_query($sql,"SELECT * FROM ".$table." WHERE Login_Name='".$tmp1."'") );
      setcookie("ID",$temp["ID"], time()+3600);
      button("x","<-- Back");
      }
      else{
       echo "<b>Bad name or password. Please try again.<br></b>";
       button("x","<-- Back");
      }
    }

 ?>
</html>
3
Contributors
4
Replies
31
Views
3 Years
Discussion Span
Last Post by Eagle.Avik
0

WHy do you want to strip all special characters? Why not just stipulate no special chars and then flag an error if they're found? I haven't checked the code closely.

0

Easier to code, and prevents
PHP - Js - SQL
inection .

Not sure how you reckon that. Just check for alphanumerics and if rogue chars present throw an error. Changing the strings to something the user did not intend is not usually the way to do it. My 2p.

0

why not use pdo, and bind value, here is example:

//for login form, it will check if the user exist or not and logged in
if ($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST['form_name'] == 'loginform')
{

   $error_page = 'error.php';
   $username = '';
   $email = '';
   $session_timeout = 3600*24*30;
   try
   {
   $pdo = new PDO('mysql:host=localhost;dbname=users', 'username', 'password');
   }
   catch (PDOException $e)
   {
    $output = 'Unable to connect to the database server.';
    echo $output;
    exit();
    }

  try
  {
   $sql = "SELECT * FROM user_login_info WHERE (username = :username OR email = :username)";
   $statement = $pdo->prepare($sql);
   $statement->bindValue(':username', $_POST['username']);
   $statement->execute();
   $result = $statement->fetchAll(PDO::FETCH_ASSOC);
   if (count($result) == 1)
    {

    //i am using crypt blowfish for password hashing. 
    //you can just compare md5 hashes normally
    $pass_varify = $result[0]['password'];
    if(crypt($_POST['password'], $pass_varify) == $pass_varify) {

      if (session_id() == "")
      {
         session_start();
      }
      $_SESSION['user_id'] = $result[0]['user_id'];
      $_SESSION['username'] = $result[0]['username'];
      $_SESSION['email'] = $result[0]['email'];
      $_SESSION['expires_by'] = time() + $session_timeout;
      $_SESSION['expires_timeout'] = $session_timeout;
      $rememberme = isset($_POST['rememberme']) ? true : false;
      if ($rememberme)
      {
         setcookie('login_id_name', $_POST['username'], time() + 3600*24*30);

      }
echo "found one. you enter a redirect here.";
   }
       else
    {
    header('Location: '.$error_page);
    exit;
    }
   }
    else
    {
    header('Location: '.$error_page);
    exit;
    }
 }
   catch (PDOException $e)
   {
    $output = 'Unable to connect to the database server.';
    echo $output;
    exit();
    }

}

hope this helps. :)

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.