0

i am trying to develop a humain ressource management application with php, html 5 and jQuery the access to this application must be with a login and password, below the source code of two scripts i have developed to ensure access with login and password to the application (login and password are stored in a table in a database that i work with it) but now i want three users accesses to the application each with its own login and password how can i do??

this the source code of the script index.html

<!doctype html>
<html><head>
    <meta charset="utf-8">
    <title>BLOCKS - Bootstrap Dashboard Theme</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta name="description" content="">
    <meta name="author" content="Carlos Alvarez - Alvarez.is">

    <!-- Le styles -->
    <link href="assets/css/bootstrap.css" rel="stylesheet">
    <link href="assets/css/login.css" rel="stylesheet">



    <style type="text/css">
      body {
        padding-top: 30px;
      }
    </style>

    <!-- Le HTML5 shim, for IE6-8 support of HTML5 elements -->
    <!--[if lt IE 9]>
      <script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
    <![endif]-->

    <!-- Le fav and touch icons -->


    <!-- Google Fonts call. Font Used Open Sans & Raleway -->


    <!-- Jquery Validate Script -->
    <script type="text/javascript" src="assets/js/jquery.validate.js"></script>

    <!-- Jquery Validate Script - Validation Fields -->


</head>
  <body>

    <!-- NAVIGATION MENU -->



    <div class="container">
        <div class="row">
        <div class="col-lg-offset-4 col-lg-4" style="margin-top:100px">
            <div class="block-unit" style="text-align:center; padding:8px 8px 8px 8px;">
                <img src="assets/img/face80x80.jpg" alt="" class="img-circle">
                <br>
                <br>
                    <form class="cmxform" id="signupForm" method="get" action="verification.php">
                        <fieldset>
                            <p>
                                <input dir="rtl" id="login" name="login" type="text" placeholder="login ">
                                <input dir="rtl" id="motdepasse" name="motdepasse" type="password" placeholder="password">
                            </p>
                                <input class="submit btn-success btn btn-large" type="submit" value="submit">
                        </fieldset>
                    </form>
            </div>

        </div>


        </div>
    </div>



    <!-- Le javascript
    ================================================== -->
    <!-- Placed at the end of the document so the pages load faster -->
    <script type="text/javascript" src="assets/js/bootstrap.js"></script>


</body></html>

and this the source code of the script verification.php

<?php

if(!isset($_GET['login']) && !isset($_GET['motdepasse']))
{
    header('Location: verification.html');
}
else
{

        require('config.php'); // On reclame le fichier
        $tbl_name="membre";

        $login = $_GET['login'];
        $motdepasse = $_GET['motdepasse'];
        $sql="SELECT * FROM $tbl_name WHERE username='$login' and password='$motdepasse'" ;

        $result=mysql_query($sql);

        // Mysql_num_row is counting table row
            $count=mysql_num_rows($result);

        if(($count==1) ) 
        {
            $_SESSION['login'] = $_POST['login'];
            header('Location: acceuil.html');
        }
                else {
             echo "<script>alert(\"معلومات اسمك أو كلمة مرورك اللذان ادخلتهما غير صحيحين. رجاءً اضغط زر العودة للخلف, و أدخل البيانات الصحيحة ثم حاول مرة أخرى. إذا كنت نسيت كلمة المرور؟ إتصل بالمسؤول \")</script>"; 

             echo '<a href="login.html" temp_href="login.html">try again</a>';
              }

}   


?>
2
Contributors
7
Replies
43
Views
2 Years
Discussion Span
Last Post by Trabelsi
2

First: do not use GET for the form method, use POST. When using GET, passwords will be visible in the URL bar of the browser and will get written in the browser cache and history. This way anyone with basically no web dev skills will be able to see usernames and passwords.

Second: do not use mysql_* functions since they are deprecated, offer no advanced features that are important for security, and might be ditched at any time. You can use mysqli_* functions which are quite similar and safer, but preferably you should switch to PDO. The PDO has many advantages: it supports database features to greatest extent (i.e. prepared statements), it enables you to switch databases quite easily (i.e. from mysql/mariadb to postreSQL or Oracle etc) and uses nicely designed OOP approach.

Now, on this link you will find a nice login example, using PDO for database access, prepared statements for secure insertion and sha1 for password hashing, all nicely comented.

Mind you, if you google for php login example you will still find loads of examples using deprecated mysql_* functions. Do yourself a favor and avoid them or translate them at least to mysqli_* or better to PDO.

For enhancing security also read this article.

I hope this is not too much information in one short time for you. Nevertheless, it is worth investing some time into studying and clarifying these concepts as it will help you many times in future.

Edited by broj1

Votes + Comments
+1
0

Thank you so much broj1 for your advices it was useful for me, i already reviewed the articles that you have advised me to consult they helped me a lot so i changed my source code following this tutoriels you will find it bellow but, but i still have a problem wich is i want that the login file redirects each user to a distinguished page according to its identifier, login and password , so what should add to this code to resolve my problem

scripts used for adding users

adduser.php

<?php

/*** begin our session ***/
session_start();

/*** set a form token ***/
$form_token = md5( uniqid('auth', true) );

/*** set the session form token ***/
$_SESSION['form_token'] = $form_token;
?>

<html>
<head>
<title>PHPRO Login</title>
</head>

<body>
<h2>add user</h2>
<form action="verification2.php" method="post">
<fieldset>
<p>
<label for="username">"username "</label>
<input type="text" id="username" name="username" value="" maxlength="20" />
</p>
<p>
<label for="password">"password"</label>
<input type="text" id="password" name="password" value="" maxlength="20" />
</p>
<p>
<input type="hidden" name="form_token" value="<?php echo $form_token; ?>" />
<input type="submit" value="submit"/>
</p>
</fieldset>
</form>
</body>
</html>

verification2.php

<?php

/*** begin our session ***/
session_start();

/*** set a form token ***/
$form_token = md5( uniqid('auth', true) );

/*** set the session form token ***/
$_SESSION['form_token'] = $form_token;
?>

<html>
<head>
<title>PHPRO Login</title>
</head>

<body>
<h2>add user</h2>
<form action="verification2.php" method="post">
<fieldset>
<p>
<label for="username">"username "</label>
<input type="text" id="username" name="username" value="" maxlength="20" />
</p>
<p>
<label for="password">"password"</label>
<input type="text" id="password" name="password" value="" maxlength="20" />
</p>
<p>
<input type="hidden" name="form_token" value="<?php echo $form_token; ?>" />
<input type="submit" value="submit"/>
</p>
</fieldset>
</form>
</body>
</html>

scripts used for logging in:

login.html

<html>
<head>
<title> Login</title>
</head>

<body>
<h2>Login Here</h2>
<form action="login_submit.php" method="post">
<fieldset>
<p>
<label for="username">username</label>
<input type="text" id="username" name="username" value="" maxlength="20" />
</p>
<p>
<label for="password">password</label>
<input type="text" id="password" name="password" value="" maxlength="20" />
</p>
<p>
<input type="submit" value="submit" />
</p>
</fieldset>
</form>
</body>
</html>

login_submit.php

<?php

/*** begin our session ***/
session_start();

/*** check if the users is already logged in ***/
if(isset( $_SESSION['user_id'] ))
{
    $message = 'Users is already logged in';
}
/*** check that both the username, password have been submitted ***/
if(!isset( $_POST['username'], $_POST['password']))
{
    $message = 'login failed';
}
/*** check the username is the correct length ***/
elseif (strlen( $_POST['username']) > 20 || strlen($_POST['username']) < 4)
{
    $message = 'incorrect length';
}
/*** check the password is the correct length ***/
elseif (strlen( $_POST['password']) > 20 || strlen($_POST['password']) < 4)
{
    $message = 'incorrect length';
}
/*** check the username has only alpha numeric characters ***/
elseif (ctype_alnum($_POST['username']) != true) 
{
    /*** if there is no match ***/
    $message = "Username must be alpha numeric";
}
/*** check the password has only alpha numeric characters ***/
elseif (ctype_alnum($_POST['password']) != true)
{
        /*** if there is no match ***/
        $message = "Password must be alpha numeric";
}
else
{
    /*** if we are here the data is valid and we can insert it into database ***/
    $username = filter_var($_POST['username'], FILTER_SANITIZE_STRING);
    $password = filter_var($_POST['password'], FILTER_SANITIZE_STRING);

    /*** now we can encrypt the password ***/
    $password = sha1( $password );

    /*** connect to database ***/
    /*** mysql hostname ***/
    $mysql_hostname = 'localhost';

    /*** mysql username ***/
    $mysql_username = 'root';

    /*** mysql password ***/
    $mysql_password = '';

    /*** database name ***/
    $mysql_dbname = 'ges_tache';

    try
    {
        $dbh = new PDO("mysql:host=$mysql_hostname;dbname=$mysql_dbname", $mysql_username, $mysql_password);
        /*** $message = a message saying we have connected ***/

        /*** set the error mode to excptions ***/
        $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

        /*** prepare the select statement ***/
        $stmt = $dbh->prepare("SELECT user_id, username, password FROM membre 
                    WHERE username = :username AND password = :password");

        /*** bind the parameters ***/
        $stmt->bindParam(':username', $username, PDO::PARAM_STR);
        $stmt->bindParam(':password', $password, PDO::PARAM_STR, 40);

        /*** execute the prepared statement ***/
        $stmt->execute();

        /*** check for a result ***/
        $user_id = $stmt->fetchColumn();

        /*** if we have no result then fail boat ***/
        if($user_id == false)
        {
                $message = 'error, please try again later';
        }
        /*** if we do have a result, all is well ***/
        else
        {
                /*** set the session user_id variable ***/
                $_SESSION['user_id'] = $user_id;
                 header('Location: acceuil.html');
                 }


    }
    catch(Exception $e)
    {
        /*** if we are here, something has gone wrong with the database ***/
        $message = 'error"';
    }
}
?>

<html>
<head>
<title>PHPRO Login</title>
</head>
<body>
<p><?php echo $message; ?>
</body>
</html>
0

Looking at your code I have got these questions:

  1. What is the purpose of verification2.php script?
  2. What is the user identifier you want to use for user redirection?

I would do only one script for adding user and one script for login. The following is an example flow for login:

  1. check if form was submited
  2. if yes, check for the user data in the database
  3. if match is found redirect to a user area (a page for authenticated users)
  4. if match is not found display an error message and the form with username already filled-in

The code would be something like:

<?php
// begin session on the very beginning of the script
session_start();

// initialize the username variable for filling in the form after incorrect login
$username = '';

// initialize the array for storing error messages
$messages = array();

// check if form was submitted and if yes, do all the stuff
if(isset($_POST['submit'])) {

    $username = filter_var($_POST['username'], FILTER_SANITIZE_STRING);
    // no need to filter password since you will hash it
    // actually by filtering it you might unvalidate it

    // hash the password (hashing is not the same as encrypting)
    $password = sha1( $_POST['password'] );
    /*** connect to database ***/
    /*** mysql hostname ***/
    $mysql_hostname = 'localhost';
    /*** mysql username ***/
    $mysql_username = 'root';
    /*** mysql password ***/
    $mysql_password = '';
    /*** database name ***/
    $mysql_dbname = 'ges_tache';
    try
    {
        $dbh = new PDO("mysql:host=$mysql_hostname;dbname=$mysql_dbname", $mysql_username, $mysql_password);
        /*** set the error mode to excptions ***/
        $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
        /*** prepare the select statement ***/
        $stmt = $dbh->prepare("SELECT user_id, username, password FROM membre
            WHERE username = :username AND password = :password");
        /*** bind the parameters ***/
        $stmt->bindParam(':username', $username, PDO::PARAM_STR);
        $stmt->bindParam(':password', $password, PDO::PARAM_STR, 40);
        /*** execute the prepared statement ***/
        $stmt->execute();
        /*** check for a result ***/
        // you can check if a row was found
        // if no rows were found add an error message to the messages array
        if($stmt->rowCount() < 1) {
            $messages[] = 'No match for this username or password';
        } else {
            // if a row was found proceed as normaly
            $user_id = $stmt->fetchColumn();
            $_SESSION['user_id'] = $user_id;
            // redirect to a selected page
            header('Location: acceuil.html')
            // stop the script here for better security
            exit();
        }
    }
    catch(Exception $e)
    {
    /*** if we are here, something has gone wrong with the database ***/
        $messages[] = 'Unknown database error';
    }
}
?>
<!-- Display the html with the form here -->
<html>
<head>
<title> Login</title>
</head>
<body>
<h2>Login Here</h2>

<?php 
// if there are any error messages, display them somewhere, maybe here
if(!empty($messages)) {
    foreach($messages as $m) {
        echo '<div class="error-message">' . $m . '</div>';
    }
}
?>

<!-- Set the form action to this script (#) -->
<form action="#" method="post">
<fieldset>
<p>
<label for="username">username</label>

<!-- echo the $username value into the input to be more user friendly -->
<!-- it is empty string by default or last entered value if login was not successful -->
<input type="text" id="username" name="username" value="<?php echo $username; ?>" maxlength="20" />
</p>
<p>
<label for="password">password</label>
<input type="text" id="password" name="password" value="" maxlength="20" />
</p>
<p>
<input type="submit" value="submit" />
</p>
</fieldset>
</form>
</body>
</html>

Edited by broj1

0

Thank you for help again broj1, i'll answer your question

  1. the script verification2.php is used for adding the login and password of the new user to the database, i think i would tell you that the scripts adduser.php and verification2.php are used only for adding a new user by the administrator because the application will run on a local server
  2. the identifier that i want to use is user_id

so, the application will be used by only three user what i want to do is:

  1. when the application run login page appears
  2. each user have a login and password and user_id and according to them he will be redirected to his specific page:
  • the first must be redirected to acceuil.html
  • the second redirected to acceuil2.html
  • and the last one must be redirected to acceuil3.html

so i hope you help me to do it

0

i add a new field in the form called "groupe" to redirect the user to his own page according to the group that he will select but it doesn't work the code that i used is bellow

login.html

<html>
<head>
<title> Login</title>
</head>

<body>
<h2>Login Here</h2>
<form action="login_submit.php" method="post">
<fieldset>
<p>
<label for="groupe" >groupe</label>

            <select id="groupe" name="groupe">
            <option value="1"> 1 </option>
            <option value="2"> 2 </option>
            <option value="3"> 3 </option>
            </select>                

                            </p>
<p>
<label for="username">username</label>
<input type="text" id="username" name="username" value="" maxlength="20" />
</p>
<p>
<label for="password">password</label>
<input type="password" id="password" name="password" value="" maxlength="20" />
</p>
<p>
<input type="submit" value="submit" />
</p>
</fieldset>
</form>
</body>
</html>

login_submit.php

?php
/*** begin our session ***/
session_start();
/*** check if the users is already logged in ***/
if(isset( $_SESSION['user_id'] ))
{
    $message = 'Users is already logged in';
}
/*** check that both the username, password have been submitted ***/
if(!isset( $_POST['username'], $_POST['password'], $_post['groupe']))
{
    $message = 'login failed';
}
/*** check the username is the correct length ***/
elseif (strlen( $_POST['username']) > 20 || strlen($_POST['username']) < 4)
{
    $message = 'incorrect length';
}
/*** check the password is the correct length ***/
elseif (strlen( $_POST['password']) > 20 || strlen($_POST['password']) < 4)
{
    $message = 'incorrect length';
}
/*** check the username has only alpha numeric characters ***/
elseif (ctype_alnum($_POST['username']) != true) 
{
    /*** if there is no match ***/
    $message = "Username must be alpha numeric";
}
/*** check the password has only alpha numeric characters ***/
elseif (ctype_alnum($_POST['password']) != true)
{
        /*** if there is no match ***/
        $message = "Password must be alpha numeric";
}
else
{
    /*** if we are here the data is valid and we can insert it into database ***/
    $username = filter_var($_POST['username'], FILTER_SANITIZE_STRING);
    $password = filter_var($_POST['password'], FILTER_SANITIZE_STRING);
    $groupe = filter_var($_POST['groupe'], FILTER_SANITIZE_STRING);
    /*** now we can encrypt the password ***/
    $password = sha1( $password );
    /*** connect to database ***/
    /*** mysql hostname ***/
    $mysql_hostname = 'localhost';
    /*** mysql username ***/
    $mysql_username = 'root';
    /*** mysql password ***/
    $mysql_password = '';
    /*** database name ***/
    $mysql_dbname = 'ges_tache';
    try
    {
        $dbh = new PDO("mysql:host=$mysql_hostname;dbname=$mysql_dbname", $mysql_username, $mysql_password);
        /*** $message = a message saying we have connected ***/
        /*** set the error mode to excptions ***/
        $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
        /*** prepare the select statement ***/
        $stmt = $dbh->prepare("SELECT user_id,groupe, username, password FROM membre 
                    WHERE groupe = :groupe AND username = :username AND password = :password");
        /*** bind the parameters ***/
        $stmt->bindParam(':groupe', $groupe, PDO::PARAM_STR);
        $stmt->bindParam(':username', $username, PDO::PARAM_STR);
        $stmt->bindParam(':password', $password, PDO::PARAM_STR, 40);

        /*** execute the prepared statement ***/
        $stmt->execute();
        /*** check for a result ***/
        $user_id = $stmt->fetchColumn();
        /*** if we have no result then fail boat ***/
        if($user_id == false)
        {
                $message = 'error, please try again later';
        }
        /*** if we do have a result, all is well ***/
       else
        {
                /*** set the session user_id variable ***/
                $_SESSION['user_id'] = $user_id;
                if ($groupe == "1")
                {
                 header('Location: acceuil.html');
                }
                else if ($groupe == "2")
                {
                    header('Location: acceuil2.html');
                }
                else if($groupe == "3")
                {
                                        header('Location: acceuil3.html');
                }
                  }
    }
    catch(Exception $e)
    {
        /*** if we are here, something has gone wrong with the database ***/
        $message = 'error"';
    }
}
?>
<html>
<head>
<title>PHPRO Login</title>
</head>
<body>
<p><?php echo $message; ?>
</body>
</html>
0

As I said I would use the approach I posted in my previous post. There are many things in your code that I think are redundant, like

/*** check if the users is already logged in ***/
if(isset( $_SESSION['user_id'] ))
{
    $message = 'Users is already logged in';
}

If the user is already logged in just redirect them to their page.

/*** check the username is the correct length ***/
elseif (strlen( $_POST['username']) > 20 || strlen($_POST['username']) < 4)
{
    $message = 'incorrect length';
}
/*** check the password is the correct length ***/
elseif (strlen( $_POST['password']) > 20 || strlen($_POST['password']) < 4)
{
    $message = 'incorrect length';
}
/*** check the username has only alpha numeric characters ***/
elseif (ctype_alnum($_POST['username']) != true)
{
/*** if there is no match ***/
    $message = "Username must be alpha numeric";
}
/*** check the password has only alpha numeric characters ***/
elseif (ctype_alnum($_POST['password']) != true)
{
/*** if there is no match ***/
    $message = "Password must be alpha numeric";
}

Why do you have to do all these checks above? Just check if username and password are correct.

For redirection based on groupe you can use this short code:

$redirections = array(
    1 => 'acceuil.html',
    2 => 'acceuil2.html',
    3 => 'acceuil3.html'
)

...
header("Location: {$redirections[$groupe]}");

You can scale your application by changing or adding groups and the script will still work without a lot of maintenance; you will only have to update the $redirections array.

 /*** if we are here the data is valid and we can insert it into database ***/

You are not doing any insertions here, only selecting.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.