www.webdeveloper.com
Results 1 to 7 of 7

Thread: My PHP login system

  1. #1
    Join Date
    Mar 2008
    Location
    Gulf Breeze, Florida
    Posts
    171

    My PHP login system

    What do you think about this PHP login system I created? Any comments or suggestions?

    PHP Code:
    session_start();
    if(!isset(
    $_SESSION['forgotClient'])){
    $_SESSION['forgotClient'] = 0;
    }

    if(!isset(
    $_SESSION['forgotPassword'])){
    $_SESSION['forgotPassword'] = 0;
    }

    require(
    "databaseConnect.php");

    if (isset(
    $_POST['login'])){
        
    $success 0;
        
    $empty 0;
        
        
    $client strtolower($_POST["client"]);
        
    $clientPassword $_POST["password"];
        
    $password md5($_POST["password"]);

    if (!empty(
    $client)) {
        
    $clientQuery "SELECT * FROM Clients WHERE client='$client'";
        
    $clientResult mysql_query($clientQuery);
        
            while (
    $clientCheck mysql_fetch_array($clientResult)){
                if (
    in_array($client$clientCheck)) {
                    
    $success++;
                    
    $clientValid "true";
                    
    $_SESSION['forgotClient'] = 0;
                }
            }
            if (isset(
    $clientValid)) {
                
    $_SESSION['remeberClient'] = ucwords($client);
                
    $rememberClient "true";
            }else{
                
    $_SESSION['loginMessage'] = "clientInvalid";
            }
    }else{
        
    $_SESSION['loginMessage'] = "clientEmpty";
        
    $empty++;
        
    }

    if (!empty(
    $clientPassword)) {
        
    $passwordQuery "SELECT * FROM Clients WHERE password='$password'";
        
    $passwordResult mysql_query($passwordQuery);
        
            while (
    $passwordCheck mysql_fetch_array($passwordResult)){
                if (
    in_array($password$passwordCheck)) {
                    
    $success++;
                    
    $passwordValid "true";
                    
    $_SESSION['forgotPassword'] = 0;
                }
            }
            if (isset(
    $passwordValid)) {
                
    //Password Is Valid
            
    }else{
                
    $_SESSION['loginMessage'] = "passwordInvalid";
            }
    }else{    
        
    $_SESSION['loginMessage'] = "passwordEmpty";
        
    $empty++;
    }

    if (
    $empty == 2) { 
        
    $_SESSION['loginMessage'] = "bothEmpty";
    }

    if (
    $empty == 1) {
        if (empty(
    $clientPassword)) {
            if (isset(
    $clientValid)) {
                
    $_SESSION['loginMessage'] = "clientValidPasswordEmpty";
                
    $_SESSION['remeberClient'] = ucwords($client);
                
    $rememberClient "true";
                
    $_SESSION['forgotClient'] = 0;
            }else{
                
    $_SESSION['loginMessage'] = "clientInvalidPasswordEmpty";
            }
        }
        if (empty(
    $client)) {
            if (isset(
    $passwordValid)) {
                
    $_SESSION['loginMessage'] = "passwordValidClientEmpty";
                
    $_SESSION['forgotPassword'] = 0;
            }else{
                
    $_SESSION['loginMessage'] = "passwordInvalidClientEmpty";
            }
        }
    }

    if (
    $empty == 0) {
        
    $bothQuery "SELECT * FROM Clients WHERE client='$client' AND password='$password'";
        
    $bothResult mysql_query($bothQuery);
        
    $bothCheck mysql_num_rows($bothResult);

            if (
    $bothCheck == 1){
                
    $success++;
            }

            if (
    $success == 0){
                
    $_SESSION['loginMessage'] = "bothInvalid";
            }

            if (
    $success == 3){
                
    $_SESSION['loginMessage'] = "none";
                
    $_SESSION['client'] = $client;
                
    header("location: clientPage.php");
            }
        }
    }
    //Is set

    switch ($_SESSION['loginMessage']){
        case 
    "clientInvalid":
        
    $_SESSION['forgotClient']++;
        break;

        case 
    "clientInvalidPasswordEmpty":
        
    $_SESSION['forgotClient']++;
        break;

        case 
    "passwordInvalid":
        
    $_SESSION['forgotPassword']++;
        break;

        case 
    "passwordInvalidClientEmpty":
        
    $_SESSION['forgotPassword']++;
        break;
    }

    if (
    $_SESSION['forgotClient'] >= 3) {
        
    $_SESSION['loginMessage'] = "clientForgot";
    }

    if (
    $_SESSION['forgotPassword'] >= 3) {
        
    $_SESSION['loginMessage'] = "passwordForgot";
    }

    if (
    $rememberClient == "true") {
        
    $clientValue $_SESSION['remeberClient'];
        
    $clientField "<input type=\"text\" name=\"client\" class=\"loginField\" value=\"$clientValue\"/>\n";
    }else{
        
    $clientField "<input type=\"text\" name=\"client\" class=\"loginField\"/>\n";
    }

    switch (
    $_SESSION['loginMessage']){
        case 
    "notLogged":
        
    $displayMessage "true";
        
    $loginMessage "You are not logged in";
        break;

        case 
    "clientInvalid":
        
    $displayMessage "true";
        
    $loginMessage "Invalid Client Name";
        break;

        case 
    "passwordInvalid":
        
    $displayMessage "true";
        
    $loginMessage "Invalid Password";
        break;

        case 
    "bothInvalid":
        
    $displayMessage "true";
        
    $loginMessage "Invalid Client and Password";
        break;

        case 
    "clientEmpty":
        
    $displayMessage "true";
        
    $loginMessage "Please Enter Client Name";
        break;

        case 
    "passwordEmpty":
        
    $displayMessage "true";
        
    $loginMessage "Please Enter Your Password";
        break;

        case 
    "bothEmpty":
        
    $displayMessage "true";
        
    $loginMessage "You Didn't Type Anything";
        break;

        case 
    "clientValidPasswordEmpty":
        
    $displayMessage "true";
        
    $loginMessage "Please Enter Your Password";
        break;

        case 
    "clientInvalidPasswordEmpty":
        
    $displayMessage "true";
        
    $loginMessage "Invalid Client, Missing Password";
        break;

        case 
    "passwordValidClientEmpty":
        
    $displayMessage "true";
        
    $loginMessage "Please Enter Client Name";
        break;

        case 
    "passwordInvalidClientEmpty":
        
    $displayMessage "true";
        
    $loginMessage "Invalid Password, Missing Client";
        break;

        case 
    "clientForgot":
        
    $displayMessage "true";
        
    $loginMessage "Forgot Client Name? <a href=\"http://www.greyfishcreative.com/forgot\">Click Here</a>";
        break;

        case 
    "passwordForgot":
        
    $displayMessage "true";
        
    $loginMessage "Forgot Password? <a href=\"http://www.greyfishcreative.com/forgot\">Click Here</a>";
        break;

        case 
    "bothForgot":
        
    $displayMessage "true";
        
    $loginMessage "Forget Everything? <a href=\"http://www.greyfishcreative.com/forgot\">Click Here</a>";
        break;

        default:
        
    $displayMessage "false";
        break;


  2. #2
    Join Date
    Jun 2003
    Location
    here
    Posts
    4,551
    I'd be carefull. a well chosen collection of characters could easily do some damage:
    PHP Code:
        $clientQuery "SELECT * FROM Clients WHERE client='$client'"
    imagine $client is
    Code:
    '; DROP TABLE Clients WHERE ''='
    this will result in the query:
    Code:
    SELECT * FROM Clients WHERE client=''; DROP TABLE Clients WHERE ''=''
    which could be very dangerous for your information. Either check for bad data, or block it using mysql_real_escape_string
    If you are using PHP please use the [PHP] and [/PHP] forum tags for highlighting...
    The same applies to HTML and the forums [HTML][/HTML] tags.

  3. #3
    Join Date
    Mar 2008
    Location
    Gulf Breeze, Florida
    Posts
    171
    Could I use preg_match to check for characters A-Z and 0-9?

  4. #4
    Join Date
    Apr 2007
    Posts
    133
    This example will validate/check for upper and lowercase plus numbers. If text field foo needs to include spaces add a space after the underscore like so [a-zA-Z0-9_ -]
    PHP Code:
     if(preg_match('/^[a-zA-Z0-9_-]{4,}$/i'$_POST['foo'])){
            
    $foo $_POST['foo'];     
        }
            else {
            
    $error1 .= "Required! min 4";
            
    $errcount++;  
             } 

  5. #5
    Join Date
    Aug 2005
    Location
    The Garden State
    Posts
    5,634
    Quote Originally Posted by scragar
    I'd be carefull. a well chosen collection of characters could easily do some damage:
    PHP Code:
        $clientQuery "SELECT * FROM Clients WHERE client='$client'"
    imagine $client is
    Code:
    '; DROP TABLE Clients WHERE ''='
    this will result in the query:
    Code:
    SELECT * FROM Clients WHERE client=''; DROP TABLE Clients WHERE ''=''
    which could be very dangerous for your information. Either check for bad data, or block it using mysql_real_escape_string
    Of course, that warning only applies if the user that the app is running as has the DROP TABLE privilege. If your user only has SELECT/INSERT/UPDATE/DELETE, you have no worries.

    Also, there is no where clause in the drop table statement.
    Acceptable Use | SQL Forum FAQ | celery is tasteless | twitter

    celery is tasteless - currently needing some UI time

  6. #6
    Join Date
    Mar 2008
    Location
    Gulf Breeze, Florida
    Posts
    171
    Thankyou everyone for your help!

  7. #7
    Join Date
    Jun 2003
    Location
    here
    Posts
    4,551
    Quote Originally Posted by chazzy
    Of course, that warning only applies if the user that the app is running as has the DROP TABLE privilege. If your user only has SELECT/INSERT/UPDATE/DELETE, you have no worries.

    Also, there is no where clause in the drop table statement.
    I know there is no where clause in DROP, but for some reason my test still deleted the table(although it threw an error as well, strange behvaiour).

    The query was not an example to run (since the table name would have become lower case and no longer match), however it served to point out the very real dangers of not testing or validating inputs.
    If you are using PHP please use the [PHP] and [/PHP] forum tags for highlighting...
    The same applies to HTML and the forums [HTML][/HTML] tags.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles