This topic contains 9 replies, has 4 voices, and was last updated by Sean Sean 3 years, 5 months ago.

How to implement php and mysql in login page?


  • lleflon
    Participant

    Posts: 28
    Member Reply #1147

    Hello,

    My example utilisation

    Using Admin4 login.html rename to login.php

     

    SQL Dump

    SET FOREIGN_KEY_CHECKS=0;

    — —————————-
    — Table structure for members
    — —————————-
    DROP TABLE IF EXISTS members;
    CREATE TABLE members (
    member_id int(11) unsigned NOT NULL AUTO_INCREMENT,
    username varchar(50) NOT NULL,
    prenom varchar(30) NOT NULL,
    nom varchar(30) NOT NULL,
    password varchar(32) NOT NULL DEFAULT ”,
    location varchar(150) NOT NULL,
    level decimal(1,0) NOT NULL,
    email varchar(50) NOT NULL,
    PRIMARY KEY (member_id)
    ) ENGINE=MyISAM AUTO_INCREMENT=4 DEFAULT CHARSET=utf8 ROW_FORMAT=DYNAMIC;

     

    field “location” is page loaded after login

    level is user level

     

    In top login.php

     

    <?
    //Start session
    session_start();
    header(“Pragma: no-cache”);
    header(“Expires: Mon, 26 Jul 1997 05:00:00 GMT”);
    header(“Last-Modified: ” . gmdate(“D, d M Y H:i:s”) . ” GMT”);
    header(“Cache-Control: no-cache, must-revalidate”);

    require_once(“connexion.php”);
    // require_once(“debug.conf_2.php”);

    if((($_POST[‘submit_login’] == ‘login’) OR ($_POST[‘action’] == ‘action_login’)) AND ($_POST[‘username’] != ”) AND ($_POST[password] != ”))
    {
    // exit;
    //Create query
    $qry=”SELECT * FROM members WHERE username ='”. $_POST[‘username’].”‘ AND password='”.md5($_POST[‘password’]).”‘”;
    $result=mysql_query($qry);

    //Check whether the query was successful or not
    if($result) {
    if(mysql_num_rows($result) == 1) {
    //Login Successful
    session_regenerate_id();
    $member = mysql_fetch_assoc($result);
    $_SESSION[‘SESS_MEMBER_ID’] = $member[‘member_id’];
    $_SESSION[‘SESS_USERNAME’] = $member[‘username’];
    $_SESSION[‘SESS_PRENOM’] = $member[‘prenom’];
    $_SESSION[‘SESS_NOM’] = $member[‘nom’];
    $_SESSION[‘SESS_LOCATION’] = $member[‘location’];
    $_SESSION[‘SESS_LEVEL’] = $member[‘level’];
    session_write_close();

    header(“Location: “.$_SESSION[‘SESS_LOCATION’].””);
    exit();
    }else{
    $_SESSION[‘SESS_LOGIN_FAILED’] = ‘Nom utilisateur ou Mot de passe incorrect’;
    //Login failed
    header(“location: index.php”);
    exit();
    }
    }

    }

    ?>

    .

    .

    .

    <!– BEGIN LOGIN FORM –>
    <form class=”login-form” action=”<? echo $_SERVER[‘PHP_SELF’]?>” method=”post” id=”login”>
    <h3 class=”form-title”>Connectez-vous</h3>
    <? if ($_SESSION[‘SESS_LOGIN_FAILED’] != ”){
    echo ‘<div class=”alert alert-danger”>’;
    echo ‘    <p>’;
    echo $_SESSION[‘SESS_LOGIN_FAILED’];
    echo ‘    </p>’;
    echo ‘</div>’;
    // Reset Session
    session_unset();
    session_destroy();
    $_SESSION = array();
    }
    ?>
    <div class=”alert alert-danger display-hide”>
    <button class=”close” data-close=”alert”></button>
    <span>
    Entrez un nom d’utilisateur et un mot de passe. </span>
    </div>
    <div class=”form-group”>
    <!–ie8, ie9 does not support html5 placeholder, so we just show field title for that–>
    <label class=”control-label visible-ie8 visible-ie9″>Nom Utilisateur</label>
    <input class=”form-control form-control-solid placeholder-no-fix” type=”text” autocomplete=”off” placeholder=”Nom Utilisateur” name=”username”/>
    </div>
    <div class=”form-group”>
    <label class=”control-label visible-ie8 visible-ie9″>Mot de Passe</label>
    <input class=”form-control form-control-solid placeholder-no-fix” type=”password” autocomplete=”off” placeholder=”Mot de Passe” name=”password” />
    </div>
    <div class=”form-actions”>
    <input type=”hidden” name=”action”  value=”action_login”>
    <button type=”submit” name=”submit_login” value=”login” class=”btn btn-success uppercase”>Connexion</button>
    <label class=”rememberme check”>
    <input type=”checkbox” name=”remember” value=”1″/>Se souvenir </label>
    Mot de passe oublié?
    </div>

    <div class=”login-options”>
    <h4>Ou connectez-vous avec</h4>
    <ul class=”social-icons”>

    </div>
    <div class=”create-account”>
    <p>
    Créer un compte
    </p>
    </div>
    </form>
    <!– END LOGIN FORM –>

    action=”<? echo $_SERVER[‘PHP_SELF’]?>

    reload login.php with $_POST variables

    if((($_POST[‘submit_login’] == ‘login’) OR…………

    check in Mysql database

    if user exist load page in field database “location” (example : dashboard.php)

    If user not exist, reload blank login.php with error message $_SESSION[‘SESS_LOGIN_FAILED’] and clear all $_SESSION variables.

     

    <span id=”result_box” class=”short_text” lang=”en”><span class=”hps”>Hoping that this will</span> <span class=”hps”>help you</span></span>

    Regards

     

    • This reply was modified 3 years, 6 months ago by  lleflon.
    • This reply was modified 3 years, 6 months ago by  lleflon.
    Sean
    Sean
    Keymaster

    Posts: 4527
    Support Staff Reply #1156

    Hi :),

    Great! Thanks for sharing this. It would be even better if you provide the code as attachment so users can easily download the file.

    Thanks.


    lleflon
    Participant

    Posts: 28
    Member Reply #1157

    Hi,

    Ok, I’ll do a package with all files for demo

    Regards


    lleflon
    Participant

    Posts: 28
    Member Reply #1163

    Hi,
    Copy
    connexion.conf.php
    demo.php
    login.php
    in metronic_v3.9/theme/templates/admin4/

    members.sql is Dump Mysql members table
    user : demo
    password : demo (in MD5)

    Start login.php, use name and password, if login Ok, demo.php file is loaded automatically and all variable session appear.
    in this demo, only the login is processed (not forget password and create an account)
    But the form is configured.

    In login.php, why this line
    <input type=”hidden” name=”action” value=”action_login”>
    before submit button ?
    Because, in HTML if using Enter key, not clic submit button, the button value is not sent in _POST variables.
    that’s why I added this variable.
    To validate the form with the Enter button or the Submit button.
    Good use
    Regards

    Attachments:
    You must be logged in to view attached files.

    rwchristiaanse
    Participant

    Posts: 8
    Member Reply #1265

    WARNING: This is a perfect example of NOT HOW TO IMPLEMENT authentication in PHP.

    Really everything is wrong with this example.

    1. Vulnerable to SQL injection ( Injecting POST variables in SQL )

    2. Vulnerable to XSSattacks (Use of $_SERVER[‘PHP_SELF’] )

    3. MD5 for password encryption (Too weak)

    4. No Hashing with salt

    5. Storing unnecessary data in session

     

    I urgently ask Keenthemes to remove this garbage.

     

     


    lleflon
    Participant

    Posts: 28
    Member Reply #1266

    Nobody is perfect.
    alexsmv wanted to know the login mechanism.
    We all learn from our mistakes
    For you, what is the good example?
    no problem that the admin erases what is not good to use.
    Let’s use your knowledge.
    Regards


    rwchristiaanse
    Participant

    Posts: 8
    Member Reply #1267

    At the moment I do not have the time to give a good example.

    Authentication is not simple. The best advice I can give is NOT try to implement your own. Use a good library like BCrypt. BCrypt is supported in PHP5+ ( see http://php.net/manual/en/function.password-hash.php ).

    Prevent MySQL injection by using prepared queries (see http://php.net/manual/en/pdo.prepared-statements.php ).

    You can use $_SERVER[‘PHP_SELF’], but use it like this:
    echo htmlspecialchars($_SERVER[“PHP_SELF”], ENT_QUOTES, “utf-8”);

    The only thing you need to store in your session (for authentication) is the fact that the user is logged in (or not):
    $_SESSION[‘login’] = true;

    read more about passwords and storing passwords secure here: http://php.net/manual/en/faq.passwords.php#faq.passwords.hashing

    Hope this helps you/someone in the right direction.


    lleflon
    Participant

    Posts: 28
    Member Reply #1271

    Thank you for this information
    After your comment, I sought to understand your instructions.
    for $_SERVER[‘PHP_SELF’] I found this alternative to avoid XSS
    <?php echo htmlentities($_SERVER[‘PHP_SELF’]); ?>

    For $_POST : intval($_POST[id])
    For $_GET : mysql_real_escape_string($_GET[id])
    For SQL Injection limitation.

    For MD5, yes, is not the must, change to sha1 and salts
    Best regard for your comment,
    I continue to seek the right solutions, or least bad 😉

    Sean
    Sean
    Keymaster

    Posts: 4527
    Support Staff Reply #1341

    Hi :),

    Thanks for everyone for sharing the solution. I hope it will be useful to the rest of users.

    Thanks.

You must be logged in to reply to this topic.