Page 3 of 3 FirstFirst 123
Results 31 to 36 of 36

Thread: Creating a membership login

  1. #31
    Join Date
    Mar 2007
    Hi Nicholas Diaz

    I have looked at your suggestion for a script and I have put below what I feel is a better method for controlling the login issue, it is simplified as well as that it is sanitizing inputs as well with the addition of a sanitization script that I have tweaked slightly and was originally from stack overflow.

    You should note that any password should never be stored in a database in its RAW format but as a HASH value, this hash value can be MD5 or SHA1, in my example I use MD5

    I suggest a use of an error.php script to handle any errors that you may want to have reported, handy if you are suppressing errors. This will be up to the individual to decide on how to progress with this

    // we secure this script by testing if a session variable has been set prior to its call
    if( !isset( $_SESSION ) ) header("Location:error.php?e=404");
      // if we do not make a connection then go to the error.php with the error found
      $connection = mysql_connect("localhost","root","") or false
      if(!$connection) header("Location:error.php?e=noconnect");
      // if we connect but can not select the database then goto error.php with the error
      $ok = mysql_select_db("elite_kenpo") or false;
      if(!$ok ) header("Location:error.php?e=nodb"); 
    If the database connect.php script is called directly then it will result in invoking the error.php script (not supplied) and you can mimic or get the server to force a 404 error which is "Not Found" so that then fools any snoopers.

    <?php // save as sanitize.php
    if( !isset( $_SESSION ) ) header("Location:error.php?e=404");
    function sanitize($data) {
    	// remove whitespaces (not a must though)
    	$data = trim($data);
    	// apply stripslashes if magic_quotes_gpc is enabled
    	if(get_magic_quotes_gpc()) $data = stripslashes($data);
    	// a mySQL connection is required before using this function
    	return mysql_real_escape_string($data);
    Again, if the sanitize.php script is called outside of a session it gets the 404 treatment.

    // is the $_POST variable set? this if set indicates that the POST VARIABLE has data
    if ( isset($_POST) ) {
    	// load up the sanitize and database connection script
    	include ("connect.php") ;
    	// create a query string and sanitize the inputs 
    	$query = sprintf("SELECT * FROM `members` WHERE username='%s' AND password='%s' LIMIT 1;--",
    . sanitize($_POST['username']), md5(sanitize($_POST['password'])) );
    	// get any results
    	$result = mysql_query($query);
    	// if the number of rows returned is greater than zero then we have a match
    	if( mysql_num_rows($query)>0){
    		// fetch the user details to set the session variable
    		$user = mysql_fetch_assoc($result);
    		// set the session variable
    		// now go to a different location...
    		// if not, then we go to a login failed page 
    Any user in the database should be unique and therefore setting the parameters in the query to pull only one row that matches, the inputs are cleaned then the query cleaned for the SQL query to run. Any results then the row is pulled and then the session set from that result. Validation and checking has been done via a database query, you don't really need to do any checking if $_POST variable matches a particular user because if a user exists, they are called from the database, if the database returns no result then that user does not exist and can be dealt with accordingly.

    It is possible to make this process shorter but I am not going to go that far, it is enough to say that sanitizing is easily implemented and understood, you will find complicated scripts that try to over do things so keep it simple stupid (KISS) is best option.
    --> JavaScript Frameworks like JQuery, Angular, Node <--
    ... and please remember to wrap code with forum BBCode tags:-

    [CODE]...[/CODE] [HTML]...[/HTML] [PHP]...[/PHP]

    If you can't think outside the box, you will be trapped forever with no escape...

  2. #32
    Join Date
    Aug 2012
    Very cool of you to explain that. It's good for people to understand security..

    But for the sake of not confusing someone who is so new to php on what a sha password is I just thought showing them a script for making simple login that works and connects to a data base. But since I am continuing to get ridiculed for trying to help someone learn the most simple way possible ill go ahead and post a full on php register and login script that will in no way make sense to the person asking the question.

    Can't do it from my phone but ill be home in an hour to help confuse people more who come across this thread for the hope to learn something new.

  3. #33
    Join Date
    Aug 2012
    I am sorry for my earlier post. its good information i just dont want to add to much confusion to
    someone who is making a login and does not even know how to create a variable.

    i think it would be helpful if we broke your code down so people who are new can understand
    line by line what u showing them considering that your script is not copy and paste
    or plug in play. such as the include files etc.

    information on sha and md5 or keeping your php in a separate page then the page with the
    form on it. I guess what im saying if were gonna turn this thread in to something its not.
    in this case security. then lets at least explain it and give some references then just posting
    a script that a new person wont understand.

    once again nice script and sorry for being a smarty pants.

    here is a good link to understand what validation and sanitization means in php

    Last edited by Nicholas Diaz; 06-24-2013 at 01:31 AM.

  4. #34
    Join Date
    Mar 2007
    SHA and MD5 are hashing algorithms

    SHA1 http://www.tools4noobs.com/online_php_functions/sha1/

    so if you had the password of mypassword1, the resulting SHA1 hash in the database would be 099ec7fa52c154f08e0876a09edabd37c39f45a5

    and the MD5 version of mypassword1 http://www.tools4noobs.com/online_php_functions/md5/ would be 0d28e4080dc8f64fc9603639bb7aa1b9

    The idea of hashing a password is that you don't store mypassword1 so that should the login table get hacked, the users passwords are not readily available and means that any crunching to obtain the real password by using rainbow tables. Once the passwords are cracked by a rainbow hack, it makes login easier on any account easier, the time involved though means that a proper hack would be targeting the Admins password and login, they are often the weakest link in any system because admins are notoriously lazy at setting a good example.

    A good password is one that looks like this


    Where X is a capital letter, x is any other letter in lower and/or uppercase followed by atleast 4 digits and a non-standard character like ?,@,# etc.for obvious reasons " and ' and < > are not good to use as non standard characters.

    It is always best to avoid human readable password types like Pencil & Orange as well as pet names using numbers that represent birth dates etc.

    as for smarty pants, far from it, we all start from some where and as time passes our knowledge grows. Compared to my brother-in-law I am what you might call a dumb assed redneck, he makes his living with his own IT consultancy.

    I can only apply what I have learned from the many hours of study on subjects, practical training I have undertaken and applied knowledge in certain areas like network security, network administration and programming.

    One bit of advice, while it is a nice idea, you will on your travels find javascipt sensitization... not a good idea, nice idea but not a good idea to load ones eggs in that basket if you follow... If you want to apply hashing and validation, then its fine as a step towards trying to narrow the field of rogue data but remember... javascript can be turned off!
    --> JavaScript Frameworks like JQuery, Angular, Node <--
    ... and please remember to wrap code with forum BBCode tags:-

    [CODE]...[/CODE] [HTML]...[/HTML] [PHP]...[/PHP]

    If you can't think outside the box, you will be trapped forever with no escape...

  5. #35
    Join Date
    Mar 2007
    Just noticed my typo...

    PHP Code:
    if ( isset($_POST) ) {
    // load up the sanitize and database connection script
        include (
    "connect.php") ; 
    Should be

    PHP Code:
    if ( isset($_POST) ) {
    // load up the sanitize and database connection script
    --> JavaScript Frameworks like JQuery, Angular, Node <--
    ... and please remember to wrap code with forum BBCode tags:-

    [CODE]...[/CODE] [HTML]...[/HTML] [PHP]...[/PHP]

    If you can't think outside the box, you will be trapped forever with no escape...

  6. #36
    Join Date
    Mar 2007
    PHP Code:
    // if the number of rows returned is greater than zero then we have a match
    if( mysql_num_rows($query)>0){ 
    Should be

    PHP Code:
    // if the number of rows returned is greater than zero then we have a match
    if( mysql_num_rows($result)>0){ 
    This is the problem with hasty hacks...

    Anyway, you get the idea.
    --> JavaScript Frameworks like JQuery, Angular, Node <--
    ... and please remember to wrap code with forum BBCode tags:-

    [CODE]...[/CODE] [HTML]...[/HTML] [PHP]...[/PHP]

    If you can't think outside the box, you will be trapped forever with no escape...

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
HTML5 Development Center



X vBulletin 4.2.2 Debug Information

  • Page Generation 0.10913 seconds
  • Memory Usage 2,925KB
  • Queries Executed 15 (?)
More Information
Template Usage (37):
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_global_above_footer
  • (1)ad_global_below_navbar
  • (1)ad_global_header1
  • (1)ad_global_header2
  • (1)ad_navbar_below
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)ad_thread_first_post_content
  • (1)ad_thread_last_post_content
  • (3)bbcode_code
  • (4)bbcode_php
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)headinclude_bottom
  • (6)memberaction_dropdown
  • (1)navbar
  • (4)navbar_link
  • (1)navbar_moderation
  • (1)navbar_noticebit
  • (1)navbar_tabs
  • (2)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (6)postbit
  • (6)postbit_onlinestatus
  • (6)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available (6):
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files (26):
  • ./showthread.php
  • ./global.php
  • ./includes/class_bootstrap.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/functions_navigation.php
  • ./includes/class_friendly_url.php
  • ./includes/class_hook.php
  • ./includes/class_bootstrap_framework.php
  • ./vb/vb.php
  • ./vb/phrase.php
  • ./includes/functions_facebook.php
  • ./includes/functions_calendar.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_notice.php
  • ./packages/vbattach/attach.php
  • ./vb/types.php
  • ./vb/cache.php
  • ./vb/cache/db.php
  • ./vb/cache/observer/db.php
  • ./vb/cache/observer.php 

Hooks Called (74):
  • init_startup
  • friendlyurl_resolve_class
  • init_startup_session_setup_start
  • database_pre_fetch_array
  • database_post_fetch_array
  • init_startup_session_setup_complete
  • global_bootstrap_init_start
  • global_bootstrap_init_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • load_show_variables
  • load_forum_show_variables
  • global_state_check
  • global_bootstrap_complete
  • global_start
  • style_fetch
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • strip_bbcode
  • friendlyurl_clean_fragment
  • friendlyurl_geturl
  • forumjump
  • cache_templates
  • cache_templates_process
  • template_register_var
  • template_render_output
  • fetch_template_start
  • fetch_template_complete
  • parse_templates
  • fetch_musername
  • notices_check_start
  • notices_noticebit
  • process_templates_complete
  • friendlyurl_redirect_canonical
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • bbcode_parse_start
  • postbit_imicons
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • memberaction_dropdown
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • build_navigation_data
  • build_navigation_array
  • check_navigation_permission
  • process_navigation_links_start
  • process_navigation_links_complete
  • set_navigation_menu_element
  • build_navigation_menudata
  • build_navigation_listdata
  • build_navigation_list
  • set_navigation_tab_main
  • set_navigation_tab_fallback
  • navigation_tab_complete
  • fb_like_button
  • showthread_complete
  • page_templates