FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Simple PHP Login Script





medesignz
I am looking for a PHP MySQL login script and have found one that does the function, but it doesnt allow updating and editing of user information. Obviously this is a bit of a bummer, so does anyone know of any that includes members area, and more importantly, an 'edit profile' section???
rvec
ehm like a forum?
phpBB3
or like a portal?
drupal
medesignz
after not finding what I need, I am coding it all from scratch.

I don't want to use OpenSource anything, if I can help it.
riccopt
the best login system I know is the one that uses APACHE as server and .htaccess + .htpasswd
not saying that is the best for your needs... but since you don't want to use any opensource stuff you should really build all from scratch...
mahirharoon
medesignz wrote:
after not finding what I need, I am coding it all from scratch.

I don't want to use OpenSource anything, if I can help it.

i see , i see
i tried this 2 years ago but it failed i would like to share it
but only the registering part can be considered complete even though it is having many errors
Code:
<?php
$data = data.txt ;
$tile =  $_post["name"] ;
$password = $_post["pass"];
$somecontent = "$tile|$password \n <br>";
//handle = fopen(" $tile ", "a");

// Let's make sure the file exists and is writable first.
//if (is_writable($filename)) {

// In our example we're opening $filename in append mode.
// The file pointer is at the bottom of the file hence
// that's where $somecontent will go when we fwrite() it.
if (!$handle = fopen($data, 'a')) {
//echo @"($tile)";
exit;
}

// Write $somecontent to our opened file.
if (fwrite($handle, $somecontent) === FALSE) {

exit;
}
fclose($handle);
header ('Location: fin.php');?>
Echo51
I wouldent use Mahir's script at all, due to its .txt file based, and any user can just go to those and rip your entire userdatabase, enter passwords in a MD5 hash database, and have most of the site's accounts in control Wink
rickylau
Echo51 wrote:
due to its .txt file based, and any user can just go to those and rip your entire userdatabase
Partial agree, it would happen JUST IF you are not considerate enough. Text based database totally doesn't mean insecure. It is as secure as DB like MySQL if:
- The text file is protected from access by unauthorized person, like in a htpasswd-ed directory
- Or simply located at somewhere inaccessible by HTTP / FTP

However using text file to store data isn't ideal if MySQL is applicable. Not the security problem, but querying MySQL should be more efficient in most cases, especially when the scale is large enough.

And the script provided by mahirharoon just did nothing other than adding record...


I think it is not a big deal to make a member system, in simplest case you only need one table with three or four columns - login name, password, and maybe some additional information needed. The important concern is that the password should be stored in encrypted form, and prevent SQL injection (those can be done within one or two PHP function calls).
For "edit profile", what's the difficulty? Just make a form to list all information for the user, when the form is submitted perform SQL update, sounds not that hard.
cemycc
rickylau wrote:
Echo51 wrote:
due to its .txt file based, and any user can just go to those and rip your entire userdatabase
Partial agree, it would happen JUST IF you are not considerate enough. Text based database totally doesn't mean insecure. It is as secure as DB like MySQL if:
- The text file is protected from access by unauthorized person, like in a htpasswd-ed directory
- Or simply located at somewhere inaccessible by HTTP / FTP

However using text file to store data isn't ideal if MySQL is applicable. Not the security problem, but querying MySQL should be more efficient in most cases, especially when the scale is large enough.

And the script provided by mahirharoon just did nothing other than adding record...


I think it is not a big deal to make a member system, in simplest case you only need one table with three or four columns - login name, password, and maybe some additional information needed. The important concern is that the password should be stored in encrypted form, and prevent SQL injection (those can be done within one or two PHP function calls).
For "edit profile", what's the difficulty? Just make a form to list all information for the user, when the form is submitted perform SQL update, sounds not that hard.



Also, if you don`t have MYSQL support you can write a encrypt alogirtm for your txt files. Like this they will be protected . To solve the speed problem , you can make a cache system but not on file.


The member system is not a big deal but you need to know some security tweaks :
Everytime use User`s ID for profile, message and stuff like that. Don`t use the username !
Make 2 tables : 1 for username, id, password and 1 for profile: name, email, adress, phone etc..
Use capcha everytime .
Try to read about security breaks in PHP ( form problems ) write on google you will find some good tutorials.
gdn17
I'm looking for a login script in PHP but using only MySql and safe too. Hope i find it =\
Nemesis234
cemycc wrote:

Everytime use User`s ID for profile, message and stuff like that. Don`t use the username !

why? surely it would depend on situation. i want to send a mail to "nemesis" not id # 5375
a forums last reply was by nemesis, if i save it as nemesis its done, if i save as id, i have to query db to find out who that id belongs to.
id is generally better to use, but it is not the case for everytime as you suggest

cemycc wrote:

Make 2 tables : 1 for username, id, password and 1 for profile: name, email, adress, phone etc..

again, as above. whats the need for this? it depends on situation. just because a table has extra cloumns you dont have to use them, by only selecting the data you need it will be just as fast, and only need 1 sql query instead of 2 on every page.
cemycc wrote:

Use capcha everytime .

there are MUCH better systems than captcha, i persaonally find captcha horrible to use, 50% of time i struggle to read the words, and im english, i cant imagine how hard it could be for non-native speakers.
if spam is a problem i would strongly suggest making your own human check procedures.
ProwerBot
Nemesis234 wrote:

cemycc wrote:

Use capcha everytime .

there are MUCH better systems than captcha, i persaonally find captcha horrible to use, 50% of time i struggle to read the words, and im english, i cant imagine how hard it could be for non-native speakers.
if spam is a problem i would strongly suggest making your own human check procedures.

Yes, capcha is annoying. I find the "Are you human?" and "1+6?" questions to be much better and maybe even more effective.
Fire Boar
ProwerBot wrote:
Yes, capcha is annoying. I find the "Are you human?" and "1+6?" questions to be much better and maybe even more effective.


Those are in fact classed as CAPTCHA.

I think the "use user IDs" is an internal thing, to help prevent SQL injection or improve query performance. You'd obviously not say "hey user, want to send a message to #223478?"
cemycc
In my opinion this is the best auth - register system :

Quote:
1. Tiny footprint with optional test implementation
2. Full documentation
3. No autoloading required. Just-in-time loading of libraries for performance
4. Language file support; no hard-coded strings
5. reCAPTCHA supported but optional
6. Recommended TRUE random salt generation (e.g. using random.org or random.irb.hr)
7. Optional add-ons to support 3rd party login (OpenID, Facebook Connect, Google Account, etc.)
8. Login using either username or email
9. Separation of user and profile data
10. Emails for activation and lost passwords
11. Automatic cookie login feature
12. Configurable phpass for hashing (properly salted of course!)
13. Hashing of passwords
14. Hashing of autologin codes
15. Hashing of lost password codes
16. Hooks into CI's validation system
17. NO security questions!
18. Enforced strong password policy server-side, with optional client-side (Javascript) validator
19. Enforced maximum number of failed login attempts with BEST PRACTICES countermeasures against both dictionary and DoS attacks!
20. All database access done through prepared (bound) statements!


I will try to write it on CodeIgniter framework. Laughing
Nemesis234
cemycc wrote:
In my opinion this is the best auth - register system :

Quote:
1. Tiny footprint with optional test implementation
2. Full documentation
3. No autoloading required. Just-in-time loading of libraries for performance
4. Language file support; no hard-coded strings
5. reCAPTCHA supported but optional
6. Recommended TRUE random salt generation (e.g. using random.org or random.irb.hr)
7. Optional add-ons to support 3rd party login (OpenID, Facebook Connect, Google Account, etc.)
8. Login using either username or email
9. Separation of user and profile data
10. Emails for activation and lost passwords
11. Automatic cookie login feature
12. Configurable phpass for hashing (properly salted of course!)
13. Hashing of passwords
14. Hashing of autologin codes
15. Hashing of lost password codes
16. Hooks into CI's validation system
17. NO security questions!
18. Enforced strong password policy server-side, with optional client-side (Javascript) validator
19. Enforced maximum number of failed login attempts with BEST PRACTICES countermeasures against both dictionary and DoS attacks!
20. All database access done through prepared (bound) statements!


I will try to write it on CodeIgniter framework. Laughing


whats that for? seems like a hell of a lot of work, maybe if you was planning to re-do facebook login, but for a normal amature website alot of that isnt necessary.

and why use a framework? there really is no need.
cemycc
Nemesis234 wrote:
cemycc wrote:
In my opinion this is the best auth - register system :

Quote:
1. Tiny footprint with optional test implementation
2. Full documentation
3. No autoloading required. Just-in-time loading of libraries for performance
4. Language file support; no hard-coded strings
5. reCAPTCHA supported but optional
6. Recommended TRUE random salt generation (e.g. using random.org or random.irb.hr)
7. Optional add-ons to support 3rd party login (OpenID, Facebook Connect, Google Account, etc.)
8. Login using either username or email
9. Separation of user and profile data
10. Emails for activation and lost passwords
11. Automatic cookie login feature
12. Configurable phpass for hashing (properly salted of course!)
13. Hashing of passwords
14. Hashing of autologin codes
15. Hashing of lost password codes
16. Hooks into CI's validation system
17. NO security questions!
18. Enforced strong password policy server-side, with optional client-side (Javascript) validator
19. Enforced maximum number of failed login attempts with BEST PRACTICES countermeasures against both dictionary and DoS attacks!
20. All database access done through prepared (bound) statements!


I will try to write it on CodeIgniter framework. Laughing


whats that for? seems like a hell of a lot of work, maybe if you was planning to re-do facebook login, but for a normal amature website alot of that isnt necessary.

and why use a framework? there really is no need.


On my last project ( it was a national community for games ) the login was hacked because there was no capcha . I was trying to find the best auth, and i will try to make it ( just for me )
Yea, you are right, you don`t need framework. For this stuff is better to write it clean .
Nemesis234
cemycc wrote:

On my last project ( it was a national community for games ) the login was hacked because there was no capcha.

hacked or spammed? cuz there is a big different. captcha wouldnt have stopped a hacking, but perhaps would have prevented spam sign-ups.
jmraker
A capacha would only block an automated program that filled out the form correctly.
If the bot filled out the form and injected some SQL and that SQL was processed, they could add/edit/delete records or tables in your database through trial and error

It's something you need to think about when you add every SQL statement to your program. Not just the login.
mahirh
Nemesis234 wrote:

hacked or spammed? cuz there is a big different. captcha wouldnt have stopped a hacking, but perhaps would have prevented spam sign-ups.

he may have meant something like brute-forcing username and passwords which were obtained through various methods like key-logging and other ways
Relentless
PHp Login Script V2.3
===================================
Updated - 17/09/2010

* NEW! Added user levels
* NEW! New and simple Admin area. No need to login separately as admin.
* NEW! Automatic or Manual activation feature for user registrations
* Removed SMTP for emails, just uses php mail function
* Fixed cookie and session vulnerabilities (session hijacking, XSS and injection)
* NEW! Added salted passwords with sha1 hashing
* Fixed error messages using GET
* New user edit feature
* Added non deletion of admin account.
* Fixed the IE8 issue button not working

I have used the above on 2 website I have made for the same company
Site 1 | Site 2

Check them out!
Relentless
Shoot! Double post i'm sorry!

But I just want to say that on both of those sites I done some tweaking to the script. I built the site first. then added the php login script.

So the scripts all sit inside a /MyCard/ folder.

And I included the database file into all the pages but didn't activate the protection script. Benifit?

Example once a user logs in, I have a php "if statement" on the login box, once logged in. It includes a different box saying "Welcome $name please click here to see your profile.."

Pretty neat!

Also, on the pictures page if the user is logged in I have a php comment form with the users username in the name box "hidden". So the users name and comment is recorded. no spam Very Happy
ogah
Echo51 wrote:
I wouldent use Mahir's script at all, due to its .txt file based, and any user can just go to those and rip your entire userdatabase, enter passwords in a MD5 hash database, and have most of the site's accounts in control Wink

you can protect your text file with .htaccess like this
Code:
<Files "data.txt">
deny from all
</Files>
pirate
If your looking for a simple login script, just google - phpacademy - login tutorial. It is a great tutorial and very easy to understand.
Related topics
What's the best PHP Wiki script?
PHP login/logout problem
simple login script
Php voting script needed (URGENT)
Login Script - PHP
I need a VERY simple php script
another simple php request
php+mysql password / login screen
150 frih$ if you make me a login script with....
Fix up a login script
Free PHP/MySQL login script
PHP login script problem
Free php script login / register , GREAT!
need help in a simple php register script based on flat file
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.