www.webdeveloper.com
Page 3 of 3 FirstFirst 123
Results 31 to 36 of 36

Thread: Creating a membership login

  1. #31
    Join Date
    Mar 2007
    Location
    localhost
    Posts
    2,507
    Hi Nicholas Diaz

    I have looked at your suggestion for a script and I have put below what I feel is a better method for controlling the login issue, it is simplified as well as that it is sanitizing inputs as well with the addition of a sanitization script that I have tweaked slightly and was originally from stack overflow.

    You should note that any password should never be stored in a database in its RAW format but as a HASH value, this hash value can be MD5 or SHA1, in my example I use MD5

    I suggest a use of an error.php script to handle any errors that you may want to have reported, handy if you are suppressing errors. This will be up to the individual to decide on how to progress with this


    Code:
    <?php
    // we secure this script by testing if a session variable has been set prior to its call
    if( !isset( $_SESSION ) ) header("Location:error.php?e=404");
    
      // if we do not make a connection then go to the error.php with the error found
      $connection = mysql_connect("localhost","root","") or false
      if(!$connection) header("Location:error.php?e=noconnect");
      
      // if we connect but can not select the database then goto error.php with the error
      $ok = mysql_select_db("elite_kenpo") or false;
      if(!$ok ) header("Location:error.php?e=nodb"); 
    
    ?>
    If the database connect.php script is called directly then it will result in invoking the error.php script (not supplied) and you can mimic or get the server to force a 404 error which is "Not Found" so that then fools any snoopers.


    Code:
    <?php // save as sanitize.php
    if( !isset( $_SESSION ) ) header("Location:error.php?e=404");
    function sanitize($data) {
    	// remove whitespaces (not a must though)
    	$data = trim($data);
     
    	// apply stripslashes if magic_quotes_gpc is enabled
    	if(get_magic_quotes_gpc()) $data = stripslashes($data);
     
    	// a mySQL connection is required before using this function
    	return mysql_real_escape_string($data);
    }
    ?>
    Again, if the sanitize.php script is called outside of a session it gets the 404 treatment.

    Code:
    <?php 
    session_start(); 
    error_reporting(0);
    
    // is the $_POST variable set? this if set indicates that the POST VARIABLE has data
    if ( isset($_POST) ) {
    	// load up the sanitize and database connection script
    	include("sanitize.php");	
    	include ("connect.php") ;
    	
    	// create a query string and sanitize the inputs 
    	$query = sprintf("SELECT * FROM `members` WHERE username='%s' AND password='%s' LIMIT 1;--",
    . sanitize($_POST['username']), md5(sanitize($_POST['password'])) );
    	
    	// get any results
    	$result = mysql_query($query);
    
    	// if the number of rows returned is greater than zero then we have a match
    	if( mysql_num_rows($query)>0){
    		// fetch the user details to set the session variable
    		$user = mysql_fetch_assoc($result);
    		
    		// set the session variable
    		$_SESSION['username']=$user['username'];
    		
    		// now go to a different location...
    		header("Location:private.php");
    	
    	}else{
    		// if not, then we go to a login failed page 
    		header("Location:error.php?e=failedlogin"); 
    	}
    }
    Any user in the database should be unique and therefore setting the parameters in the query to pull only one row that matches, the inputs are cleaned then the query cleaned for the SQL query to run. Any results then the row is pulled and then the session set from that result. Validation and checking has been done via a database query, you don't really need to do any checking if $_POST variable matches a particular user because if a user exists, they are called from the database, if the database returns no result then that user does not exist and can be dealt with accordingly.

    It is possible to make this process shorter but I am not going to go that far, it is enough to say that sanitizing is easily implemented and understood, you will find complicated scripts that try to over do things so keep it simple stupid (KISS) is best option.
    Yes, I know I'm about as subtle as being hit by a bus..(\\.\ Aug08)
    Yep... I say it like I see it, even if it is like a baseball bat in the nutz... (\\.\ Aug08)
    I want to leave this world the same way I came into it, Screaming, Incontinent & No memory!
    I laughed that hard I burst my colostomy bag... (\\.\ May03)
    Life for some is like a car accident... Mine is like a motorway pile up...

    Problems with Vista? :: Getting Cryptic wid it. :: The 'C' word! :: Whois?

  2. #32
    Join Date
    Aug 2012
    Location
    TX
    Posts
    293
    Very cool of you to explain that. It's good for people to understand security..

    But for the sake of not confusing someone who is so new to php on what a sha password is I just thought showing them a script for making simple login that works and connects to a data base. But since I am continuing to get ridiculed for trying to help someone learn the most simple way possible ill go ahead and post a full on php register and login script that will in no way make sense to the person asking the question.

    Can't do it from my phone but ill be home in an hour to help confuse people more who come across this thread for the hope to learn something new.

  3. #33
    Join Date
    Aug 2012
    Location
    TX
    Posts
    293
    I am sorry for my earlier post. its good information i just dont want to add to much confusion to
    someone who is making a login and does not even know how to create a variable.

    i think it would be helpful if we broke your code down so people who are new can understand
    line by line what u showing them considering that your script is not copy and paste
    or plug in play. such as the include files etc.

    information on sha and md5 or keeping your php in a separate page then the page with the
    form on it. I guess what im saying if were gonna turn this thread in to something its not.
    in this case security. then lets at least explain it and give some references then just posting
    a script that a new person wont understand.

    once again nice script and sorry for being a smarty pants.

    here is a good link to understand what validation and sanitization means in php

    http://foaa.de/blog/2012/11/27/php-v...-sanitization/
    Last edited by Nicholas Diaz; 06-24-2013 at 02:31 AM.

  4. #34
    Join Date
    Mar 2007
    Location
    localhost
    Posts
    2,507
    SHA and MD5 are hashing algorithms

    SHA1 http://www.tools4noobs.com/online_php_functions/sha1/

    so if you had the password of mypassword1, the resulting SHA1 hash in the database would be 099ec7fa52c154f08e0876a09edabd37c39f45a5

    and the MD5 version of mypassword1 http://www.tools4noobs.com/online_php_functions/md5/ would be 0d28e4080dc8f64fc9603639bb7aa1b9

    The idea of hashing a password is that you don't store mypassword1 so that should the login table get hacked, the users passwords are not readily available and means that any crunching to obtain the real password by using rainbow tables. Once the passwords are cracked by a rainbow hack, it makes login easier on any account easier, the time involved though means that a proper hack would be targeting the Admins password and login, they are often the weakest link in any system because admins are notoriously lazy at setting a good example.

    A good password is one that looks like this

    Xxxxxxnnnn?

    Where X is a capital letter, x is any other letter in lower and/or uppercase followed by atleast 4 digits and a non-standard character like ?,@,# etc.for obvious reasons " and ' and < > are not good to use as non standard characters.

    It is always best to avoid human readable password types like Pencil & Orange as well as pet names using numbers that represent birth dates etc.

    as for smarty pants, far from it, we all start from some where and as time passes our knowledge grows. Compared to my brother-in-law I am what you might call a dumb assed redneck, he makes his living with his own IT consultancy.

    I can only apply what I have learned from the many hours of study on subjects, practical training I have undertaken and applied knowledge in certain areas like network security, network administration and programming.

    One bit of advice, while it is a nice idea, you will on your travels find javascipt sensitization... not a good idea, nice idea but not a good idea to load ones eggs in that basket if you follow... If you want to apply hashing and validation, then its fine as a step towards trying to narrow the field of rogue data but remember... javascript can be turned off!
    Yes, I know I'm about as subtle as being hit by a bus..(\\.\ Aug08)
    Yep... I say it like I see it, even if it is like a baseball bat in the nutz... (\\.\ Aug08)
    I want to leave this world the same way I came into it, Screaming, Incontinent & No memory!
    I laughed that hard I burst my colostomy bag... (\\.\ May03)
    Life for some is like a car accident... Mine is like a motorway pile up...

    Problems with Vista? :: Getting Cryptic wid it. :: The 'C' word! :: Whois?

  5. #35
    Join Date
    Mar 2007
    Location
    localhost
    Posts
    2,507
    Just noticed my typo...

    PHP Code:
    if ( isset($_POST) ) {
        
    // load up the sanitize and database connection script
        
    include("sanitize.php");    
        include (
    "connect.php") ; 
    Should be

    PHP Code:
    if ( isset($_POST) ) {
        
    // load up the sanitize and database connection script
        
    include("connect.php");
        include(
    "sanitize.php"); 
    Yes, I know I'm about as subtle as being hit by a bus..(\\.\ Aug08)
    Yep... I say it like I see it, even if it is like a baseball bat in the nutz... (\\.\ Aug08)
    I want to leave this world the same way I came into it, Screaming, Incontinent & No memory!
    I laughed that hard I burst my colostomy bag... (\\.\ May03)
    Life for some is like a car accident... Mine is like a motorway pile up...

    Problems with Vista? :: Getting Cryptic wid it. :: The 'C' word! :: Whois?

  6. #36
    Join Date
    Mar 2007
    Location
    localhost
    Posts
    2,507
    Ooops...
    PHP Code:
    // if the number of rows returned is greater than zero then we have a match
        
    if( mysql_num_rows($query)>0){ 
    Should be

    PHP Code:
    // if the number of rows returned is greater than zero then we have a match
        
    if( mysql_num_rows($result)>0){ 
    This is the problem with hasty hacks...

    Anyway, you get the idea.
    Yes, I know I'm about as subtle as being hit by a bus..(\\.\ Aug08)
    Yep... I say it like I see it, even if it is like a baseball bat in the nutz... (\\.\ Aug08)
    I want to leave this world the same way I came into it, Screaming, Incontinent & No memory!
    I laughed that hard I burst my colostomy bag... (\\.\ May03)
    Life for some is like a car accident... Mine is like a motorway pile up...

    Problems with Vista? :: Getting Cryptic wid it. :: The 'C' word! :: Whois?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles