# php login guide



## Sean8 (Apr 14, 2010)

Is this guide alright to use to have a secure login system for visitors on my website?  Also how do i add users to the table once i create the database?

http://www.phpeasystep.com/phptu/6.html



> CREATE TABLE `members` (
> `id` int(4) NOT NULL auto_increment,
> `username` varchar(65) NOT NULL default '',
> `password` varchar(65) NOT NULL default '',
> ...



That creates the database and adds john

When i tried to do this after creating the database the username/pw doesnt work only the first one john does



> INSERT INTO `members` VALUES (2, 'craig', '1235334');


----------



## Kreij (Apr 14, 2010)

Not sure how the database is handling the auto-incrementing column.
Usually you do not supply the AI value on an insert as the DB handles that, or you give it a value of -1.


----------



## Sean8 (Apr 14, 2010)

Kreij said:


> Not sure how the database is handling the auto-incrementing column.
> Usually you do not supply the AI value on an insert as the DB handles that, or you give it a value of -1.



I'll be honest I don't know what that means, since after all im using a guide.  The guide works, I just need to know how to add users to the database with the username/pw I specify and if that login script is secure.


----------



## Kreij (Apr 14, 2010)

What database are you using?


----------



## Easy Rhino (Apr 14, 2010)

this is most definitely a database question.


----------



## Sean8 (Apr 14, 2010)

Kreij said:


> What database are you using?





Easy Rhino said:


> this is most definitely a database question.



Could you both explain what I should look for in order to answer that question?  My hosting company is godaddy if that helps and the database is setup for php 5.-


----------



## Easy Rhino (Apr 14, 2010)

Sean89 said:


> Could you both explain what I should look for in order to answer that question?  My hosting company is godaddy if that helps and the database is setup for php 5.-



well then most likey you can setup a mysql database with your host. should be a 1 click install. then read up on how to add values to mysql tables using php. im certain there is some specific coding you have to use to get authentication to add values to tables and then have those value added incrementally.


----------



## Sean8 (Apr 14, 2010)

Easy Rhino said:


> well then most likey you can setup a mysql database with your host. should be a 1 click install. then read up on how to add values to mysql tables using php. im certain there is some specific coding you have to use to get authentication to add values to tables and then have those value added incrementally.



the database is setup and the user john is added and that account works.

but when i try to add a new user with this piece of info the account information never works


> INSERT INTO `members` VALUES (2, 'craig', '1235334');


I mean the value is 2 figured it would work but it doesnt


----------



## Easy Rhino (Apr 14, 2010)

Sean89 said:


> the database is setup and the user john is added and that account works.
> 
> but when i try to add a new user with this piece of info the account information never works
> 
> I mean the value is 2 figured it would work but it doesnt



does that actually add the value to the database?


----------



## Kreij (Apr 14, 2010)

You're in a little bit over your head Sean, but fear not !! (sound of trumpets or something)
We will endeavor to assist you at no charge 

When you create an autoincrementing field, the database itself should handle setting that column's value. Try doing the INSERT with only the two column values.

INSERT INTO Members username, password VALUES ('Craig', 'CraigsPassword')


----------



## Sean8 (Apr 14, 2010)

Kreij said:


> You're in a little bit over your head Sean, but fear not !! (sound of trumpets or something)
> We will endeavor to assist you at no charge
> 
> When you create an autoincrementing field, the database itself should handle setting that column's value. Try doing the INSERT with only the two column values.
> ...



HAHA yes! I figured I was, but I'm just tryin to make this work for our business website for people to use to view pictures and stuff.  Already got the site up and it looks awesome I think for my first site.  I'll try the above when godaddy validate my database again (ive deleted it like 10 times since i was getting mad since only adding the one user was working LOL) figured tpu would save me


----------



## Easy Rhino (Apr 14, 2010)

it is great learning experience. knowing how to do something as simple as write good php code to interact with an sql database is very important as you have figured out.


----------



## Sean8 (Apr 14, 2010)

Easy Rhino said:


> it is great learning experience. knowing how to do something as simple as write good php code to interact with an sql database is very important as you have figured out.


I've been liking it so far not the php since I know nothing.  The html and css for the site wasnt too bad.  I've read about mysql injections should i be worried with this login system for that and for the site that will be protected 

do i add this to the page i want protected?



> ############### Code
> 
> // Check if session is not registered , redirect back to main page.
> // Put this code in first line of web page.
> ...


----------



## Easy Rhino (Apr 14, 2010)

Sean89 said:


> I've been liking it so far not the php since I know nothing.  The html and css for the site wasnt too bad.  I've read about mysql injections should i be worried with this login system for that and for the site that will be protected
> 
> do i add this to the page i want protected?



i am not entirely sure how that process works. but you should be able to setup some ssl certification using godaddy so that any information entered into that login form will be encrypted and sent as such to the database.


----------



## Kreij (Apr 14, 2010)

Oh boy ... lol. You are in for a real learning experience, Sean, and fast. 
Try not to get information overload, and don't get discouraged.

Yes, you need to worry about sql injections. You need to sanitize the users input so they cannot inject sql commands into their input and totally hose or take over your database.

Does the guide you are using cover that?


----------



## Easy Rhino (Apr 14, 2010)

Kreij said:


> Oh boy ... lol. You are in for a real learning experience, Sean, and fast.
> Try not to get information overload, and don't get discouraged.
> 
> Yes, you need to worry about sql injections. You need to sanitize the users input so they cannot inject sql commands into their input and totally hose or take over your database.
> ...



wouldn't something like an AJAX form do that? it can check every aspect of the form for correct syntax.


----------



## Sean8 (Apr 14, 2010)

Kreij said:


> Oh boy ... lol. You are in for a real learning experience, Sean, and fast.
> Try not to get information overload, and don't get discouraged.
> 
> Yes, you need to worry about sql injections. You need to sanitize the users input so they cannot inject sql commands into their input and totally hose or take over your database.
> ...



No it doesn't is it just the php coding that prevents people from doing sql injections or any other thing that I should know about, to reduce the risk of the database being seen.  I noticed in the database you could choose from a drop down menu to encrypt the text passwords.  I mean its just a simple site with a password login to view pictures but id like it to be secure.


----------



## Kreij (Apr 14, 2010)

If the coding you are using prevents injections then you should be okay,


----------



## Sean8 (Apr 14, 2010)

Kreij said:


> If the coding you are using prevents injections then you should be okay,


This is what it shows that prevents it gonna research a bit on it.  Anything else you recommend I should add to enhance the script heres the link to what im using http://www.phpeasystep.com/phptu/6.html added the md5 part he recommended too, gonna try it when they setup my mysql never took this long before lalala.......


> $myusername = stripslashes($myusername);
> $mypassword = stripslashes($mypassword);
> $myusername = mysql_real_escape_string($myusername);
> $mypassword = mysql_real_escape_string($mypassword);


----------



## W1zzard (Apr 14, 2010)

no problems with sql injection in that code, please make sure to use encrypted passwords (md5), for added security use a password salt, google will tell you about it


----------



## Sean8 (Apr 14, 2010)

when i go to add users with this


> INSERT INTO Members username, password VALUES ('craig', '56789')


gives this error


> Error
> 
> SQL query:
> 
> ...


----------



## Sean8 (Apr 14, 2010)

this worked and added the user thanks for all the help guys. 


> INSERT INTO `members` VALUES (2, 'craig', '1234');



as far as md5 would that be in the checklogin file i would modify that?  I don't have a registration page I add all users to the database myself


----------



## Kreij (Apr 14, 2010)

My bad, Sean, I was typing in a hurry.

Should have been

```
INSERT INTO 'members' ('usernmae', 'password') VALUES ('Craig', '1234')
```

You do not have to include the 'id' value in the INSERT statement since it is being auto-generated.

php has an md5() hash function. It returns a 32 character hexidecimal number.

```
$hash = md5($password)
```
So run the new password string through the function and store the results in the database.

```
INSERT INTO 'members' ('username' , 'password') VALUES ('Craig', $hash)
```
To check for the correct password ... take the password that the user entered and run it through the md5() function, then do a SELECT on the members table using the username and hash and see if it returns a record. If not the username/password pair were not valid.


----------



## Sean8 (Apr 14, 2010)

Kreij big thanks for the help, but everything working with some minor tweaking by the help of google and you and the others that posted good responses.  Question what i did is add the md5 encrypt stuff in my login checker.  then in the mysql database i just change it to md5 is this correct way to do it since i dont have a registration form?  Also about the salt question, what it does is change the md5 numbers in the database everytime a user logs in?
If so anyway you could put me in the right direction to do that


> <?php
> ob_start();
> $host="hostname"; // Host name
> $username="mysqlname"; // Mysql username
> ...


----------



## Kreij (Apr 14, 2010)

You should put the 4 lines for injection in before the query is run.

I'll get back to you on the salt. A little busy at the moment.


----------



## Kreij (Apr 14, 2010)

Sorry about that 

A salt just adds a random string to the hash so that it becomes virtually impossible to generate a usable password from a hash (which is possible when just using a regular md5 hash).

This is a good example and explained very simply.


----------



## Sean8 (Apr 14, 2010)

I dont know if i added the mysql injection in the right spot or not



> <?php
> ob_start();
> $host="host"; // Host name
> $username="sqlname"; // Mysql username
> ...


----------



## Kreij (Apr 14, 2010)

Whoops, no. You need to get the values from the form first, so they should be after the lines that use "$_POST"


----------



## Sean8 (Apr 14, 2010)

Kreij said:


> Whoops, no. You need to get the values from the form first, so they should be after the lines that use "$_POST"


whew think i got it now lol thanks! gonna read up on that article you posted


> <?php
> ob_start();
> $host="hostname"; // Host name
> $username="mysqlname"; // Mysql username
> ...


----------



## Kreij (Apr 14, 2010)

Always happy to help when I can, and there are a lot of people on TPU who feel the same way.

If you have more questions on php (or any programming questions for that matter) you know where to find us.


----------



## Sean8 (Apr 15, 2010)

anyone think a captcha will prevent it?

I'm trying to find a good place to get started to prevent brute forcing etc on user accounts for my website. Right now I have a php login script and a mysql database where i manually add users then md5 the pws. Google was really no help found 1 topic about it maybe im wording it wrong in searches


----------



## Kreij (Apr 15, 2010)

Thanks Sean, I think you will find having all the info in one thread easier to use a resource if you need it in the future.

You really only need a captcha when you allow users to create accounts to prevent spam-bots from auto-registering. A brute force attack to crack passwords is probably not going to happen unless you are storing something on your site that is really interesting to hackers.


----------



## Sean8 (Apr 15, 2010)

My webpage is secured with a password that each user has.  I'm trying to protect images for users to see ONLY ON THAT PROTECTED PAGE  For instance right now someone can just be like http://www.website.com/picturesforthesite/blah.png and view them even when that picture is on my secured page where you need a password to view it.  Anyway to make them only viewable to users once they are logged in?


----------



## Sean8 (May 5, 2010)

bump..

Let me rephrase what I'm trying to accomplish.

I have my php login script setup with my mysql database with usernames/passwords.
I'm trying to protect images on my website from being viewed by members logged in with my php login script.  The script works, but anyone can type image urls in with out being logged in and view the pictures.  Anyone with any idea, or any direction to point me in, in order to accomplish this?  Any questions just ask

I've tried a couple htaccess things and none seem to of worked.


----------

