Making A More Secure Login

October 1, 2008

This article is a continuation of my previous article Writing A Simple Login. I came to the realization that our login that we created earlier was not at all secure, so I decided it was time that we tackle the most basic security measures.

So starting off where our last example left off, we’ve had the users enter their username and password and passed it on to our processlogin.php file. After we’ve declared the database connections we’ll want to make a simple function that will check the variables passed through via the post. The function will look something like this.

function make_safe($variable) {
$variable = mysql_real_escape_string(trim($variable));
return $variable;
}

What this function ensures us is that anything malicious the user will try to pass through to our processing page will simply be parsed up and run through the database like normal, thus preventing the user from entering anything malicious into our input fields.

In order to use this function we should call it like so.

$username = make_safe($_POST['username']);
$password = make_safe($_POST['password']);

Thus protecting us from a malicious attack. Hopefully this has helped you out in making your login page more secure with some simple php.

Writting A Simple Login

September 26, 2008

One of the things that I marvel at is how many first time php users clamor for a login function on their pages. What are they going to do once they get users? How are they going to keep them interested in their sites? Well regardless if you’re interested in developing a login function for your site, I can certainly help out with that.
So the first thing we’re going to want to do is create a form. You can put this form on your website or on a separate login page. This is what the html will look like.

<form name="form1" method="post" action="processlogin.php">
<label>
Username:
<input type="text" name="username" id="username">
</label>
<label>
Password
<input type="text" name="password" id="password">
</label>
<label>
<input type="submit" name="submit" id="submit" value="Submit">
</label>
</form>

So in order for the form to do anything we need to make a php page called processlogin.php. We also need to have a database already set up with a user in it, I’m going to leave that up to you for now.

As always we want to open up a php page:

<?

Next we need to define our database:

mysql_connect("localhost", "root", "password") or die(mysql_error());
mysql_select_db("mydb") or die(mysql_error());

Now we can start working. We’re going to check and see if the  user put in any information into username, if so we’ll take the information they gave us in the form and assign in to variables.

if($_POST['username'] != NULL){

$username = $_POST['username'];
$password = $_POST['password'];

Now we’re going to run a query checking the database for an entry that matches our username and password.

$result = mysql_query("SELECT * FROM users WHERE username = '".$username."' AND password = '".$password."'");

Next we check to see if anything is returned, if there isn’t we display an error.

if($row['username'] == NULL){
echo "Your Username or Password is Incorrect!";
}else{
$_SESSION['name'] = $username;
header('location:/index.php');
}

We are now left with our final else statement that will only display if the user hasn’t entered anything into the form. This of course is a normal safety measure that would be done using javascript, but in this case we’ll add it in for our basic login.

}else{
echo "You must fillout the login form.";
}

And now we close the php document.

?>

And that is all there is to it. As I said this login is very flawed, there should be a lot of checking going on before the form is submitted, usually done with javascript, we also should be parsing out the user entered values to ensure that we won’t be victim to an SQL Injection,  but alas this is but a simple login form. So now that you have that under your belt you can continue working on your social networking site.