Making A More Secure Login
October 1, 2008
This article is a continuation of my previous article Writing A Simple Login. I came to the realization that our login that we created earlier was not at all secure, so I decided it was time that we tackle the most basic security measures.
So starting off where our last example left off, we’ve had the users enter their username and password and passed it on to our processlogin.php file. After we’ve declared the database connections we’ll want to make a simple function that will check the variables passed through via the post. The function will look something like this.
function make_safe($variable) {
$variable = mysql_real_escape_string(trim($variable));
return $variable;
}
What this function ensures us is that anything malicious the user will try to pass through to our processing page will simply be parsed up and run through the database like normal, thus preventing the user from entering anything malicious into our input fields.
In order to use this function we should call it like so.
$username = make_safe($_POST['username']);
$password = make_safe($_POST['password']);
Thus protecting us from a malicious attack. Hopefully this has helped you out in making your login page more secure with some simple php.
Writting A Simple Login
September 26, 2008
One of the things that I marvel at is how many first time php users clamor for a login function on their pages. What are they going to do once they get users? How are they going to keep them interested in their sites? Well regardless if you’re interested in developing a login function for your site, I can certainly help out with that.
So the first thing we’re going to want to do is create a form. You can put this form on your website or on a separate login page. This is what the html will look like.
<form name="form1" method="post" action="processlogin.php">
<label>
Username:
<input type="text" name="username" id="username">
</label>
<label>
Password
<input type="text" name="password" id="password">
</label>
<label>
<input type="submit" name="submit" id="submit" value="Submit">
</label>
</form>
So in order for the form to do anything we need to make a php page called processlogin.php. We also need to have a database already set up with a user in it, I’m going to leave that up to you for now.
As always we want to open up a php page:
<?
Next we need to define our database:
mysql_connect("localhost", "root", "password") or die(mysql_error());
mysql_select_db("mydb") or die(mysql_error());
Now we can start working. We’re going to check and see if the user put in any information into username, if so we’ll take the information they gave us in the form and assign in to variables.
if($_POST['username'] != NULL){
$username = $_POST[‘username’];
$password = $_POST[‘password’];
Now we’re going to run a query checking the database for an entry that matches our username and password.
$result = mysql_query("SELECT * FROM users WHERE username = '".$username."' AND password = '".$password."'");
Next we check to see if anything is returned, if there isn’t we display an error.
if($row['username'] == NULL){
echo "Your Username or Password is Incorrect!";
}else{
$_SESSION['name'] = $username;
header('location:/index.php');
}
We are now left with our final else statement that will only display if the user hasn’t entered anything into the form. This of course is a normal safety measure that would be done using javascript, but in this case we’ll add it in for our basic login.
}else{
echo "You must fillout the login form.";
}
And now we close the php document.
?>
And that is all there is to it. As I said this login is very flawed, there should be a lot of checking going on before the form is submitted, usually done with javascript, we also should be parsing out the user entered values to ensure that we won’t be victim to an SQL Injection, but alas this is but a simple login form. So now that you have that under your belt you can continue working on your social networking site.
How To Use PHP Functions To Execute Your MYSQL Queries.
September 24, 2008
Welcome to my first PHP tutorial. In this one I’ll be going over an easy way to streamline your PHP code. The set of PHP functions I’m going to show you is really useful to keep your PHP code clean. In my day to programming I tend to write a TON of Mysql queries for my PHP. Well this tutorial strives to give you an easy way to execute a series of Mysql commands without having a ton of $sql variables.
So starting things out we have our opening PHP command.
<?php
We then establish our connection to our database, this is only useful if you’re going to be connected to one database for the run of this page.
mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("trial") or die(mysql_error());
Then we’re going to write our first PHP function, this is just a simple Mysql query.
function simple($table) {
$sql = "SELECT * FROM ".$table;
$result = mysql_query($sql);
return $result;
}
We’ll be taking in a variable called table, which identifies which table we should look into. Then we make an $sql variable to take the Mysql command, run the Mysql query, and then return the results of the query via the return function built into PHP.
Now if we just want to be running simple queries all day we can use this. In order to use it we need to write some more PHP.
First we should make a variable with the Mysql table name in it.
$table = 'userdata';
Then run the function. We’re setting $result to catch what ever the function sends back out with the return.
$result = simple($table);
Then we create an array with the Mysql data.
$row = mysql_fetch_array($result);
And use the data with our PHP code. In this case we’re simpling echoing user’s names.
echo $row['username'];
Now then, at the beginning of the page we can assign a few other PHP functions. These are 2 PHP functions that I use and thought you might find helpful
This first function will look at what ever Mysql table you give it and will randomize the results.
function random($table) {
$sql = "SELECT * FROM ".$table." ORDER BY RAND( )";
$result = mysql_query($sql);
return $result;
}
This function is taking in 2 terms, and demonstrates how you can look for a specific row within a Mysql table.
function double($table, $term) {
$sql = "SELECT ".$term." FROM ".$table;
$result = mysql_query($sql);
return $result;
}
And here’s the entire PHP page.
<?php
mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("trial") or die(mysql_error());
function simple($table) {
$sql = "SELECT * FROM ".$table;
$result = mysql_query($sql);
return $result;
}
function random($table) {
$sql = "SELECT * FROM ".$table." ORDER BY RAND( )";
$result = mysql_query($sql);
return $result;
}
function double($table, $term) {
$sql = "SELECT ".$term." FROM ".$table;
$result = mysql_query($sql);
return $result;
}
$table = 'userdata';
$result = simple($table);
$row = mysql_fetch_array($result);
echo $row['username'];
?>
Hopefully this has proven useful for you, if you have any questions be sure to leave them in the comments!