Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I have to create a website with the sole purpose of connecting to a MySQL database and displaying its information in a graphical user interface.
So far everything is working well. My problem, however, is setting up some sort of log in system to get the user's $username and $password.
While the website is being developed for LAN use I would rather not put a username and password in HTML or PHP for security reasons.
How would I go about writing code to ask the user for a password and username on my index page, have it used for all of the other pages on my site, and ultimately have it forgotten when the user closes my website? At the moment I only know HTML, CSS, and some very naive PHP.
in a nutshell:
login.php
<?php
session_start();
function hhb_tohtml($str)
{
return htmlentities($str, ENT_QUOTES | ENT_HTML401 | ENT_SUBSTITUTE | ENT_DISALLOWED, 'UTF-8', true);
}
$accounts=array(
//username =>password
'smith'=>'smell',
'admin'=>'password',
'guest'=>'guestpass'
);
if(array_key_exists('submit',$_POST)){
if(!array_key_exists('username',$_POST)){
$username='';
} else
{
$username=$_POST['username'];
}
if(!array_key_exists('password',$_POST)){
$password='';
}else {
$password=$_POST['password'];
}
if(!array_key_exists($username,$accounts)){
die('This username does not exist.');
}
if($accounts[$username]!==$password){
die('wrong password!');
}
$_SESSION['logged_in']=true;
$_SESSION['username']=$username;
die('you have logged in as: '.hhb_tohtml($username));
}
?>
<!DOCTYPE html>
<html>
<head><title></title></head>
<body>
<form action="?" method="post">
Username: <input type="text" name="username" /><br>
Password: <input type="password" name="password" /><br>
<input type="submit" name="submit" value="Submit" />
</form>
</body>
</html>
and in other places, like controlpanel.php:
session_start();
if(!isset($_SESSION['logged_in'])){die('you need to login first!');}
the session id will be stored in a cookie, thanks to session_start(), and the server will remember whether or not this session id is logged in.
As far as I understand you would be able to use the standard type of login using a session. There are many tutorials to show you how to achieve this and there are many different ways to get to the outcome. It all depends on your skills, level of safety and database requirements, to name a few.
You should start by having a look at a tutorial like this which makes use of a session http://www.formget.com/login-form-in-php/ this will give you the "forget password" functionality. Unless a user saves the password using their browser.
Just in case the tutorial above is not to your liking here a a few more:
http://www.homeandlearn.co.uk/php/php14p2.html
http://www.phpeasystep.com/phptu/6.html
and my personal favorite http://www.tutorialspoint.com/php/php_login_example.htm
I hope you find something to help you, if you have any issues implementing one of these examples please post a question with your code for someone to help you resolve it.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
Sorry I am asking a question that has been asked before but in spite of reading all of them, I am still confused what to do.
What exactly I have to do to implement the remember me feature in my website I am building as my final year project. Is calling the function "setcookie()" alone sufficient?
setCookie() is all you need.
You can use it like this:
$cookie_value = 'MyUsername';
$cookie_expire = time() + 60*60*24*365;// 365 days
$cookie_path = '/';
setcookie('remember_me',$cookie_value, $cookie_expire, $cookie_path);
On the next pageload, you can fetch the remember_me cookie value with:
$_COOKIE['remember_me'];
But the 'next pageload' part is important because PHP cookies cannot be set and also read in the same browser action.
In the most simple way possible. The way I would bring this all together for demonstration for your project is have a php page with an html <form> that posts to itself.
Your filename would be something like my_form.php
inside it would be:
<?php
// If we received a username from the form, remember it for a year.
if( $_POST['username'] ):
setcookie('remember_me',$_POST['username'], time()+60*60*24*365, '/');
endif;
?>
<?php
// Display a message if the user is remembered.
if( isset($_COOKIE['remember_me']) ):
echo '<h2>Welcome back, '.$_COOKIE['remember_me'].'!</h2>';
endif;
?>
<form action="" method="post">
<input name="username" type="text" placeholder="Your Username" value="<?php echo $_COOKIE['remember_me'] ?>" required />
<button type="submit">Remember me</button>
</form>
This form submits to itself. If you see the username you just entered in the welcome message, then it is remembering you.
Very important! The setcookie() call in PHP must be the first thing in your my_form.php file. Otherwise setcookie() will not work if any output has happened to the web-browser before you call the setcookie() function.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I have setup a 3 page php login system. first page is login.php. it loads users input to the content.php and content.php will check the username and password. if fails, it will direct the user to the loginfail.php
If i just try to open the content.php without loading login.php first. I will be directed to loginfail.php
The design is using the post method on login.php and just simply checking the $_POST value inside content.php.
Here is my question : is this a secure design for protecting the content.php file ? it seemed no one will have the access to content.php unless they load login.php and get the username and password right.
you can do all in a single page like this:
<?php
session_start();
include("../inc/db.php");
if((isset($_POST['action']))and($_POST['action']=="login")){
$qu = mysql_query("SELECT * FROM `users` WHERE `user_name`='$_POST[uname]' and `password`='$_POST[pass]' LIMIT 1;");
if(mysql_num_rows($qu)!=0){
$uobj = mysql_fetch_object($qu);
$_SESSION["user"] = 'U';
$_SESSION["username"] = $uobj->user_name;
$_SESSION["fname"] = $uobj->full_name;
$_SESSION["id"] = $uobj->uid;
header("location:index.php");
}else{
header("location:login.php?message=wrongpass");
}
}
?>
<form method=post><table border=0>
<tr><td style='width:100px;'>user name</td><td><input type=text name=uname ></td></tr>
<tr><td>pass</td><td><input type=password name=pass ></td></tr>
<tr><td colspan='2'><input type=submit name=submit value=' login ' style='width:120px;'></td></tr>
<input type='hidden' name='action' value='login'>
</table></form>
Quite safe in my opinion yes.
It's difficult to say more without seeing the code.
Now maybe you should restrain number of tries with an IP because : http://i129.photobucket.com/albums/p203/Zelinko/Motivational%20Pictures/ATXNXOTI3MHPD6FS4MOF5IZHKKPBLSVV.jpg
It really depends on how safe you want to get. Its safe enough for a small private app, or something to be used by a few people, but i wouldn't use it in a bank site.
Because you are saving the password in the content.php file directly I guess (it sounds a lot like a homework I had on my first year at the university), if someone gets access to read the file through ftp for example, you would compromise the password. Also, you could brute force the password quite easily if you don't have a blocking method.
To add a bit of security you could hash the password in a database and add a limit to the amount of failures a connection can have.
Herroo everyone!
I am building a website for my dad. He is an accountant. We have Google calendars setup for him to take appointments. The website is just a pretty front page with three clickable images that link to different calenders. Two of the buttons are linked to employee calendars and are not password protected which is fine. We want new people to be able to sign up for them. My dad however is overbooked and needs his link password protected so he can give the password out to specific clients in order for them to make their appointments. He does not want see new people.
I can work with html and css but a total newb to PHP/MYSQL. I have been doing a lot of research and downloaded many tutorials/sample codes the past few days but I am still confused. This is what I've gotten so far after modifying some sample code. I set the password to be barney and do not require a user name and saved it as php1.php in a sub folder called protect. I remember reading somewhere that this well help with people bypassing the password.
<?php
$password = "barney";
if (md5($_POST['txtPassword']) != $password) {
?>
<h1>Login</h1>
<form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<p><label for="txtpassword">Password:</label>
<br /><input type="password" title="Enter your password" name="txtPassword" /></p>
<p><input type="submit" name="Submit" value="Login" /></p>
</form>
<?php
}
after this I am stuck... I do not know how to apply this to my html page and attach it to the image/link. Any help is much appreciated! Thanks so much!!
The obvious problem here is that you are comparing your password $password to an md5 version of the submitted password. They will be different and so you will always be shown the login form.
Replace with
<?php
$password = "barney";
if ($_POST['txtPassword'] != $password) {
?>Login form here<?php
} else {
?>Restricted access here<?php
}
But then you should keep in mind that such a scheme remains bad practice and low-security:
the password is stored in plain-text
you don't check how many
attempts a user makes to retrieve the password (see brute-force
attacks)
...
if you don't want to use the PHP file you could always modify the .htaccess file if it is available to you.
here is a quick how-to:
http://www.elated.com/articles/password-protecting-your-pages-with-htaccess/
here is more detailed info:
http://www.javascriptkit.com/howto/htaccess3.shtml
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 1 year ago.
Improve this question
I am developing a site in PHP that allows users to sign up and enter in some information, and I would like to give each user a unique URL. When the user logs in to his profile, I want JUST the username to be passed to the URL (like www.mysite.com/profile.php?user=username) in order to rewrite it later. However, I'm using the $_POST method, and I'm concerned if I use $_GET while logging in the password will be passed to the URL as well. What should I do?
There shouldn't really be a problem doing this. You could simply use a POST method that points to a URL with a GET parameter.
So you make a POST request to:
www.mysite.com/profile.php?user={$username}
This way the user variable in the URL doesn't need to be used in the authentication.
Consider this for a simplistic example:
<form method="post" action="/profile.php?username=hasan">
<input type="text" name="username" value="hasan" />
<input type="text" name="password" value="********" />
</form>
The URL you are posting to doesn't have to be hard coded either - you could always dynamically add the user name before submitting the form.
On the link to or redirection you can add
Link to the profile
and after you read it (in php file) with $_GET['user']
Since the authentication presumably happens in a separate script, e.g. login.php, it's just a matter of appending the username to the profile URL when redirecting upon successful login.
header('Location: profile.php?username='.$username);
Lix's answer is best and is what you should be doing, but assuming you don't have a login.php and for some strange reason want to go straight to profile.php?user to login, you can use this javascript:
<script type="text/javascript">
$(document).ready(function() {
$("#theForm").submit(function() {
$(this).attr("action", $(this).attr("action") + $("#usernameInput").val());
return true;
});
});
</script>
And your form looks something like:
<form action="http://www.mysite.com/profile.php?user=" method="post" id="theForm">
<input type="text" name="usernameInput" id="usernameInput">
<input type="password" name="passwordInput" id="passwordInput">
<input type="submit" name="submit" value="Login">
</form>
And then your action will change to the inputted username upon submit. But still, you should have an intermediary login.php that redirects to profile.php?user.
I'm quite new in this PHP programming and already tried looking my issue at this forum but no success.
I have build a simple webform using PHP and stuck when trying to edit form. My form consist of below
register html form - basicallly user fill in the form and hit submit. the form will then go to register.php
Register.php - all the field store at database and I also display the form using the SESSION (not call from database) in this page.
Here is my problem start. At the dispay(register.php) I want allow user to edit his/her information and submit again(which i think use update query base on ID). But I truly don't know how to do this.
Can someone advice me or give some simple code for this so that I can have clearer view?
you also must strip slashes for avoiding Sql injection
In previous pages you must store the username from textbox of login
Something like this:
session_start();
$_SESSION['username']=$_POST['input of login txtbox'];
you can just get the condition with user cause you have just one unique user 2 users mustn't have the same user name then just store the username of them in $_SESSION
$connection=Mysql_connect('server','user','pass');
if(array_key_exists('sub2',$_POST))
{
if(!$connection)
{
echo 'connection is invalid';
}
else
{
Mysql_select_db('Your DB',$connection);
$pas=$_POST['pass1'];
$username=$_POST['username'];
$pas=mysql_escape_string($pas);
$username=mysql_escape_string($username);
$query="update user set user='$username'and pass=password('$pas') where username='".$_SESSION['username'].";
//some code
}
in your form:
<p><b>User Name:</b><input type="text" name="username" />
<p><b>Password:</b><input type="password" name="pass1" />
<input type="submit" name="sub2" value="update"/>
use this site for secure your code