Re: Membership site

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




wil prim <wilprim@xxxxxx> wrote:

>Ok so I have the md5() taken care of and now i have also attempted to
>create a login form plus a check login form that will try and match the
>hashed value of the input with a field in the data base and if
>successful it will echo 'You are now logged in' or else it will echo
>'couldnt connect'. However when I try to log in with my newly created
>username and password it echos 'couldnt connect'. Here is the code for
>the form:
>
><form method="post" action="check_login.php">
>            <span style="font-size: 14pt;">
>            Username: <input type="text" name="logginname" /><br/><br/>
>     Password: <input type="password" name="loginpassword" /><br/><br/>
>                                 <input type="submit" value="login"  />
></form>
>
>AND HERE IS THE check_login.php:
>
><?php
>
>include_once "connect_mysql.php";
>
>$result=mysql_query("SELECT * FROM Members");
>$row=mysql_fetch_array($result);
>$loginusername=$_POST['logginname'];
>$loginpass=$_POST['logginpassword'];
>$hash_loggin_username=md5($loginusername);
>$hash_loggin_password=md5($loginpass);
>if ($hash_loggin_username==$row['username'] &&
>$hash_loggin_password==$row['password'])
>{
>    echo 'You are now logged in!';
>}
>else
>    {
>        echo 'couldnt connect';
>    }
>?>
>
>In this code Members is the table and Persons is the database.
>
>
>
>
>
>On Jul 27, 2011, at 02:28 PM, wil prim <wilprim@xxxxxx> wrote:
>
>> Thanks for that! I'll try and put some code together and I'll reply
>if I need some more help. ;)
>>
>> Sent from my iPhone
>>
>> On Jul 27, 2011, at 2:18 PM, Ashley Sheridan
><ash@xxxxxxxxxxxxxxxxxxxx> wrote:
>>
>> > On Wed, 2011-07-27 at 14:01 -0700, wil prim wrote:
>> >
>> >> Hello, I am just starting out with PHP and I have just created a
>database named "Members" with a table named "Persons". There are 5
>fields (id,firstname, lastname, username, password) . The form I
>created is a sign up form and the values entered into the form are
>inserted into the table "Persons", now my question is how do I create a
>secure log in system with this new database? Thanks in advance! :)
>> >>
>> >
>> >
>> > Well, first, as a measure of security, make sure that you don't
>store
>> > the plain text password in the DB. Something like an md5($password
>.
>> > $email . $name) offers a rudimentary protection. For something a
>little
>> > meatier, try sha1(). Storing it this way means that even if someone
>> > gained access to your DB, they don't actually have the passwords,
>as
>> > people often reuse passwords on different sites.
>> >
>> > As to the login, you would accept the username and password combo,
>and
>> > then hash or encrypt the password with the salt again, and compare
>with
>> > the entry in the DB. It's typical to have a counter of incorrect
>logins
>> > as well. More than 3 in a row causes the login for that username to
>lock
>> > for a specific period of time. To achieve this, you would need to
>add a
>> > couple of fields to your Persons table, `attempts`(tinyint) &
>> > `lock_time`(datetime).
>> >
>> > When you attempt to log someone in with the username and password
>> > (encrypted, hashed, whatever) you also check to see if the
>lock_time is
>> > not some time in the future. If it is, then you don't allow them
>access.
>> > If the password was wrong, then increment the attempts field by 1.
>If
>> > this field gets incremented to a specific value (say 3 for example)
>then
>> > you set the lock_time field to some date in the future, the wait
>period.
>> >
>> > When a user logs in successfully, set the attempts counter to 0
>again so
>> > it's ready for the next login attempt to the account. This just
>ensures
>> > that people aren't accidentally locked out indefinitely!
>> >
>> > This is all just a rough sketch out of how I'd go about it, but it
>> > should be enough logic for you to put some code together. It's no
>more
>> > complex than a couple of queries and a few if statements. It may
>help
>> > you to flowchart the whole thing out to get the logic clear in your
>> > mind.
>> >
>> > --
>> > Thanks,
>> > Ash
>> > http://www.ashleysheridan.co.uk
>> >
>> > 
>
>On Jul 27, 2011, at 02:18 PM, Ashley Sheridan
><ash@xxxxxxxxxxxxxxxxxxxx> wrote:
>
>> On Wed, 2011-07-27 at 14:01 -0700, wil prim wrote:
>>
>> > Hello, I am just starting out with PHP and I have just created a
>database named "Members" with a table named "Persons". There are 5
>fields (id,firstname, lastname, username, password) . The form I
>created is a sign up form and the values entered into the form are
>inserted into the table "Persons", now my question is how do I create a
>secure log in system with this new database? Thanks in advance! :)
>> >
>>
>>
>> Well, first, as a measure of security, make sure that you don't store
>> the plain text password in the DB. Something like an md5($password .
>> $email . $name) offers a rudimentary protection. For something a
>little
>> meatier, try sha1(). Storing it this way means that even if someone
>> gained access to your DB, they don't actually have the passwords, as
>> people often reuse passwords on different sites.
>>
>> As to the login, you would accept the username and password combo,
>and
>> then hash or encrypt the password with the salt again, and compare
>with
>> the entry in the DB. It's typical to have a counter of incorrect
>logins
>> as well. More than 3 in a row causes the login for that username to
>lock
>> for a specific period of time. To achieve this, you would need to add
>a
>> couple of fields to your Persons table, `attempts`(tinyint) &
>> `lock_time`(datetime).
>>
>> When you attempt to log someone in with the username and password
>> (encrypted, hashed, whatever) you also check to see if the lock_time
>is
>> not some time in the future. If it is, then you don't allow them
>access.
>> If the password was wrong, then increment the attempts field by 1. If
>> this field gets incremented to a specific value (say 3 for example)
>then
>> you set the lock_time field to some date in the future, the wait
>period.
>>
>> When a user logs in successfully, set the attempts counter to 0 again
>so
>> it's ready for the next login attempt to the account. This just
>ensures
>> that people aren't accidentally locked out indefinitely!
>>
>> This is all just a rough sketch out of how I'd go about it, but it
>> should be enough logic for you to put some code together. It's no
>more
>> complex than a couple of queries and a few if statements. It may help
>> you to flowchart the whole thing out to get the logic clear in your
>> mind.
>>
>> -- 
>> Thanks,
>> Ash
>> http://www.ashleysheridan.co.uk
>>

First, please reply to the list too and not just me.

Why are you retrieving a list of every user in your db? Use a where clause in sql, its much easier and faster.

You don't need to hash your usernanmes, just passwords. Also, echo out the full query. What does it look like?

Finally, you're creating a query object of all the data from your query, but then you're not looping through the rows, yet you're using a variable called $row which has never been defined. If you turn on all errors and warnings you would see this.
Thanks,
Ash
http://www.ashleysheridan.co.uk
-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux