Pre-built login system for my webpage

DJMK4 · 19 Jul 2009 at 15:28

Hi,

Im after an easy to implement login system for my webpage, I know there are pre-built ones out there that you can use as i dont want to (if possible) make one from scratch.

Can anybody reccomend anything for me?

what im trying to do is create a portal on my webpage which allows me to log in and access my own area of the site.

Is there anything out there which is like this being secure?

b34st · 20 Jul 2009 at 00:34

What kind of site will you be implementing this on? there is a lot of free scripts out there that can do all this for you including portals, forums, cms and social networking. otherewise if you already have the rest of the site made and only want a part of your site to require authorisation then It is not hard to start from scratch and learn to make a login script. It could be a nice introduction to php for you.

suarve · 20 Jul 2009 at 00:36

It really isn't hard at all to make your own - E.g. http://www.phpeasystep.com/workshopview.php?id=6 .

Basically:

- Create simple form, username and password.
- Build simpel SQL query from those values.
- If exactly one match to the details log user in (in php set a session)
- At top of each private page check if above session is created.

The tutorial also mentions salting your passwords, which for the small extra effort and benefit you should probably look into doing

DJMK4 · 20 Jul 2009 at 10:46

Its for my own personal site, im creating myself a site which will be used as a profile on me and my work, the login system will be a portal for me to use to log in to my own personal pages to access certain objects and features which I plan on building.

robmiller · 20 Jul 2009 at 10:48

PEAR::Auth is a good premade solution.

LiE · 20 Jul 2009 at 10:50

DJMK4 - if it's a display of your work, then I would have thought you would create the login system yourself to demonstrate your skills.

DJMK4 · 20 Jul 2009 at 11:31

msm722 said:
DJMK4 - if it's a display of your work, then I would have thought you would create the login system yourself to demonstrate your skills.

Well, my primary work is not web-design

but I would like to learn more about web-design so I see your point.

OK, aslong as I can find some decent tutorials on the web (thanks for the one above) I will do it, I did a very basic login system a while back which worked but I dont think it was 100% secure.

Thanks for the info tho

tsinc80697 · 20 Jul 2009 at 13:37

WEB DEVELOPMENT :mad:

Not bleedin design!! Code = development!

DJMK4 · 20 Jul 2009 at 15:02

tsinc80697 said:
WEB DEVELOPMENT Not bleedin design!! Code = development!

OK, calm down calm down

DJMK4 · 30 Jul 2009 at 20:44

Going back to this thread, I think im going to follow this tutorial, I just want peoples approval

http://www.tutorialtastic.co.uk/tutorial/creating_a_secure_php_login_page

I got a good idea of how it works, iv messed around myself and from help on these forums iv managed to get a basic login script working. But I want to use extra security, cookies would be good (yum yum) and salting out passwords.

What do you guys think of the above link?

DJMK4 · 30 Jul 2009 at 22:29

also found this one

http://www.mtdev.com/2002/07/creating-a-secure-php-login-script?page=1

AHarvey · 1 Aug 2009 at 06:59

suarve said:
It really isn't hard at all to make your own - E.g. http://www.phpeasystep.com/workshopview.php?id=6 .

Basically:

- Create simple form, username and password.
- Build simpel SQL query from those values.
- If exactly one match to the details log user in (in php set a session)
- At top of each private page check if above session is created.

The tutorial also mentions salting your passwords, which for the small extra effort and benefit you should probably look into doing

I don't see the point in starting a new thread for this so I will just post it here.

I am using the above tutorial to build a secure login system for a work site and I have a couple of issues that I hope someone can help with.

1) When a user enters their password into the form how can I get it to shows as * instead of letters.

2) When I correctly enter the admin username and password it forward me onto the login_success.php page and it shows the following error at the top of the page:

Notice: Use of undefined constant myusername - assumed 'myusername' in C:\Documents and Settings\..............\login_success.php on line 8

3) I want to start using MD5 passwords but haven't created a user creation page yet, i have only used the PHPMyAdmin page to enter one user called admin using this following SQL command : "INSERT INTO `usrs` VALUES (1, 'admin', 'password', 'first_name', 'email'); How can I make it so that the password is entered as an MD5 password? EDIT: Do I have to set the SQL column up as ENCRYPT??

I am just learning as I go, so I apologise if these are silly questions, but, there are bound to be more to come

EDIT2: I've fixed error number 2, it was due to an error in the tutorial code:

Code:

<? 
session_start(); 
if(!session_is_registered(myusername)){ 
header("location:main_login.php"); 
} 
?>

it should have been: if(!session_is_registered('myusername')){

LiE · 1 Aug 2009 at 07:44

1 -

PHP:

<input type="password" name="passwd" size="15" maxlength="14">

2 - What's on line 8 of login_success.php? Probably reference to myusername, which as the error message says, is not defined.
3 -

PHP:

"INSERT INTO `usrs` VALUES (1, 'admin', 'MD5(password)', 'first_name', 'email');"

should work.

AHarvey · 1 Aug 2009 at 19:49

Thanks, changing the password type to password and not text sorted in out.

However, using 'MD5(password)' actually puts that in as the password and doesn't encrypt the password using md5

DJMK4 · 1 Aug 2009 at 19:53

Im going to carry on with this tutorial I think, you can spend hours looking for tutorials on the web, i think this one is a good base start but it needs to be tweaked to make it secure.

AHarvey - If its ok with you, seeing as we are following the same tutorial, do you wish to swap idea's etc? if you want let me know. I can add you on msn if you want.

Iv got it working, thanks for the tip on how to salt out the password, going to give it a try now.

As I go along ill try and implement more features into it.

LiE · 1 Aug 2009 at 19:58

AHarvey said:
Thanks, changing the password type to password and not text sorted in out.

However, using 'MD5(password)' actually puts that in as the password and doesn't encrypt the password using md5

Sorry should be MD5('password')

Quotes

DJMK4 · 21 Aug 2009 at 21:07

OK

Could somebody give my code the once over and state where I could improve

Im in the process of changing so it uses sha1 hashed, I want to make it secure without going over the top, its for a personal website.

Code:

<?php
$host='****'; // Host name
$username='*****'; // Mysql username
$password='*****'; // Mysql password
$db_name='******'; // Database name
$tbl_name='*******'; // Table name

// Connect to server and select databse.
mysql_connect($host, $username, $password)or die('cannot connect');
mysql_select_db($db_name)or die('cannot select DB');

// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
$encrypted_password=md5($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);



// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($encrypted_password);





// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "****.php"
session_register('myusername');
session_register('mypassword');
header('location:****.php');
}
else {
echo "Wrong Username or Password";
}
?>

I am planning on the following

Changing from MD5 to sha1, is there any other flaws that you can spot but I cannot?

_TubbZ_ · 28 Aug 2009 at 02:36

You're stopping SQL injection after you run the SQL. I would look into a regex and whitelist what you want to allow here: http://uk3.php.net/preg_match

even though its just for yourself some check for SQL injection is wise, its good practice for a start, and nasty person could just come along and delete your db with one small statement. If you are storing anything in the database other than your login details this could be a real pain.

I had to do something similar for a uni project a while back and i chose to steer clear of login scripts as a lot of them just did too much and a simple one only takes a few minutes to knockup.

EDIT:

Also if you have encrypted the PW i don't see why you need to strip slashes etc as its now meaningless letters and numbers.

zinc · 28 Aug 2009 at 02:46

tsinc80697 said:
WEB DEVELOPMENT Not bleedin design!! Code = development!

Haha, had plenty of non techy people say "you do web design" and I go no "web development" and they say "so what's the difference". It goes downhill for them from there..