Member Avatar for RLS0812

Here is a login page I have been working on for a while, what do you think ?
It automatically strips "user input" of all special characters.

<html>
<title>Login Page</title>
<head>
    <style type="text/css">
    body {
        text-align:center;
         }
    </style>
</head>
<?php
include "sql.php";
$me =  $_SERVER['PHP_SELF'];

function check($v){
return isset($_POST[$v]);
}

function strip ($str){
return preg_replace('/[^A-Za-z0-9_]/', " ", trim($str) );
}

function test($col,$val){
global $sql, $table; 
$tst = mysqli_query($sql,"SELECT ".$col." FROM ".$table." WHERE ".$col."='".$val."'");
if (mysqli_fetch_array($tst) ){
 return true;
}
else{
return false;
}}

 function verify ($imp){
     $imp1 = strip($imp);
     if ($imp == $imp1){
     return true;
     }
     else{
     return false;
     }}

function button ($txt,$set){
global $me;
 echo '<form action="' . $me . '" method="POST">
  <input type="submit" name="'.$txt.'" value="'.$set.'">
  </form>';
}
// End Of Declarationns     
    if (isset($_COOKIE["ID"])){
    $result = mysqli_query($sql,"SELECT ID FROM ".$table." WHERE ID='".strip($_COOKIE["ID"])."'");
    if (mysqli_fetch_array($result)){
        $temp = mysqli_fetch_assoc(mysqli_query($sql,"SELECT Game_Name FROM ".$table." WHERE ID='".strip($_COOKIE["ID"])."'") );
        echo "Welcome " . $temp["Game_Name"] . " !<br>";
    }
    else{
    unset($_COOKIE["ID"]);
    }}

    if (!check("Sign_Up")  and !check("Sign_In") and !check("Su_User_Name") and !check("Si_User_Name")){
    echo "<b>Welcome! Please sign in or sign up !<br></b></ceter>";
    button("Sign_In","Sign In");
    button("Sign_Up","Sign Up");
    }

    if (check("Sign_In") ) {
echo '<b>Please sign in here.</b></cemter><br><form action="' . $me . '" method="POST">
<br>User Name: <input type="text" name="Si_User_Name">&nbsp;
  Password: <input type="text" name="Si_Password">&nbsp;
  <button type="submit">Submit !</button>
  </form><br>';
    }

    if (check("Sign_Up") ) {
    echo '<b>Please do not use special characters.<br>Letters, numbers and _ allowed.<br>Lenght must be longer than 4 characters.<br></b><form action="' . $me . '" method="POST">
<br>User Name: <input type="text" name="Su_User_Name">&nbsp;
  Game Name: <input type="text" name="Su_Game_Name"> &nbsp;
  Password: <input type="text" name="Su_Password">&nbsp;
  <button type="submit">Submit !</button>
  </form><br>';
    }

    if (check("Su_User_Name") and check("Su_Game_Name") and check("Su_Password") ){
     if (!verify($_POST["Su_User_Name"]) or !verify($_POST["Su_Game_Name"]) or !verify($_POST["Su_Password"]) or strlen($_POST["Su_User_Name"]) < 5 or strlen($_POST["Su_Game_Name"]) < 5 or strlen($_POST["Su_Password"]) < 5 ) {
      echo "<h3><b>Letters, numbers and _ only. Lenght must be greater than 4 characters.</b></h1><br>";
      button("x","<-- Back");
     }
     else{
      if (test("Login_Name",$_POST["Su_User_Name"]) ){
      echo "<b>User name taken.<br></b>";
      button("x","<-- Back");
      }
      elseif(test("Game_Name",$_POST["Su_Game_Name"]) ){
       echo "<b>Game name taken.<br></b>";
       button("x","<-- Back");
      }
      else{
      $x = "1234567890abcdefghijklmnopqrstuvwxyABCDEFGHIJKLMNOPQRSTUVWXYZ";
      $x2 = '';
        for ($i = 0; $i < 21; $i++) {
            $x2 .= $x[rand(0, strlen($x) - 1)];
      }
      mysqli_query($sql,"INSERT INTO ".$table." (Game_Name,Login_Name,Blarg,ID)VALUES('".$_POST["Su_Game_Name"]."','".$_POST["Su_User_Name"]."','" .$_POST["Su_Password"]."','".$x2."')");
      echo "<b>Account created !<br></b>";
      $temp = mysqli_fetch_assoc(mysqli_query($sql,"SELECT * FROM ".$table." WHERE ID='".$x2."'") );
      setcookie("ID",$temp["ID"], time()+3600);
      button("x","<-- Back");

      }
     }
    }

    if (check("Si_User_Name") and check("Si_Password") ) {
    $tmp1 = strip($_POST["Si_User_Name"]);
    $tmp2 = strip($_POST["Si_Password"]);
      if (test("Login_Name",$tmp1) and test("Blarg",$tmp2) ){
      echo "<b>Logged in !<br></b>";
      $temp = mysqli_fetch_assoc(mysqli_query($sql,"SELECT * FROM ".$table." WHERE Login_Name='".$tmp1."'") );
      setcookie("ID",$temp["ID"], time()+3600);
      button("x","<-- Back");
      }
      else{
       echo "<b>Bad name or password. Please try again.<br></b>";
       button("x","<-- Back");
      }
    }

 ?>
</html>
  • 3 Contributors
  • 4 Replies
  • 248 Views
  • 2 Days Discussion Span
  • Latest Post Latest Post by Eagle.Avik
Member Avatar for diafol

WHy do you want to strip all special characters? Why not just stipulate no special chars and then flag an error if they're found? I haven't checked the code closely.

Member Avatar for RLS0812

Easier to code, and prevents
PHP - Js - SQL
inection .

Member Avatar for diafol

Easier to code, and prevents
PHP - Js - SQL
inection .

Not sure how you reckon that. Just check for alphanumerics and if rogue chars present throw an error. Changing the strings to something the user did not intend is not usually the way to do it. My 2p.

Member Avatar for Eagle.Avik

why not use pdo, and bind value, here is example:

//for login form, it will check if the user exist or not and logged in
if ($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST['form_name'] == 'loginform')
{

   $error_page = 'error.php';
   $username = '';
   $email = '';
   $session_timeout = 3600*24*30;
   try
   {
   $pdo = new PDO('mysql:host=localhost;dbname=users', 'username', 'password');
   }
   catch (PDOException $e)
   {
    $output = 'Unable to connect to the database server.';
    echo $output;
    exit();
    }

  try
  {
   $sql = "SELECT * FROM user_login_info WHERE (username = :username OR email = :username)";
   $statement = $pdo->prepare($sql);
   $statement->bindValue(':username', $_POST['username']);
   $statement->execute();
   $result = $statement->fetchAll(PDO::FETCH_ASSOC);
   if (count($result) == 1)
    {

    //i am using crypt blowfish for password hashing. 
    //you can just compare md5 hashes normally
    $pass_varify = $result[0]['password'];
    if(crypt($_POST['password'], $pass_varify) == $pass_varify) {

      if (session_id() == "")
      {
         session_start();
      }
      $_SESSION['user_id'] = $result[0]['user_id'];
      $_SESSION['username'] = $result[0]['username'];
      $_SESSION['email'] = $result[0]['email'];
      $_SESSION['expires_by'] = time() + $session_timeout;
      $_SESSION['expires_timeout'] = $session_timeout;
      $rememberme = isset($_POST['rememberme']) ? true : false;
      if ($rememberme)
      {
         setcookie('login_id_name', $_POST['username'], time() + 3600*24*30);

      }
echo "found one. you enter a redirect here.";
   }
       else
    {
    header('Location: '.$error_page);
    exit;
    }
   }
    else
    {
    header('Location: '.$error_page);
    exit;
    }
 }
   catch (PDOException $e)
   {
    $output = 'Unable to connect to the database server.';
    echo $output;
    exit();
    }

}

hope this helps. :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.