Php Login and Register Script

[ashraf97]

hey can anyone help me do this, I want someone to try and help me/ guide me through on how to do this, any help is appreciated.

[SSL]

This is the first tutorial I used way back when: http://tinsology.net/2009/06/creating-a-secure-login-system-the-right-way/

 

Note that this is a very basic walkthrough that gets you up and running but not necessarily doing things the abosolute best way. A web application with user registration and login is best handled by a framework unless the site you will be building is VERY small.

[fizzlesticks]

This is the first tutorial I used way back when: http://tinsology.net/2009/06/creating-a-secure-login-system-the-right-way/

Way back when is way too long ago, don't use that for the database side of things.

 

You should be using PDOs or the mysqli functions that allow prepared statements.

This site shows how to do the creating and checking of passwords but leaves out any actual html. https://alias.io/2010/01/store-passwords-safely-with-php-and-mysql/

[SSL]

Way back when is way too long ago, don't use that for the database side of things.

 

You should be using PDOs or the mysqli functions that allow prepared statements.

This site shows how to do the creating and checking of passwords but leaves out any actual html. https://alias.io/2010/01/store-passwords-safely-with-php-and-mysql/

 

Which is why I said it wasn't the best way. For learning it makes no difference, since ultimately using anything short of a full framework for real PHP development is fairly gross.

[Maximation]

Way back when is way too long ago, don't use that for the database side of things.

 

You should be using PDOs or the mysqli functions that allow prepared statements.

This site shows how to do the creating and checking of passwords but leaves out any actual html. https://alias.io/2010/01/store-passwords-safely-with-php-and-mysql/

 

The Blowfish hashing algorithm is no longer recommended, I believe. There are better options out there.

[ashraf97]

alright ive got the site running, now I just need to make a database for the login and pass without hardcoding, help pls?

[SSL]

alright ive got the site running, now I just need to make a database for the login and pass without hardcoding, help pls?

 

The link I posted has full instructions on how to create the database, I believe the other link does as well. What specifically do you need help with?

[ItsFTP]

My question is: What do you know about mysql/mysqli and php already?

Right now a whole series on how to code in php and database management is something what would help you.

[ashraf97]

alright well ive managed to create the login and I have connected it with the database, I just need to know how to create an online shopping cart system? any tutorials you guys could link me?

[ekv]

Sorry if I fail while coding because i will not debug this script, but i will try to show you how everything works.

 

You have PHP script and MySQL DB. Let's start with MySQL.

MySQL is very, very simple, you have Database -> Table -> Columns -> Rows.

So let's make one database with table "Users" and columns like "ID, fist name, last name, email, username, password", that is like basic if you want to have users.

Every row needs to have his own ID, that is like number of citizen ID card, or whatever.

 

So let's make database:

CREATE DATABASE `mywebsite`CREATE TABLE IF NOT EXISTS `users` (  `id` int(11) NOT NULL AUTO_INCREMENT,  `f_name` varchar(50) COLLATE utf8_bin NOT NULL,  `l_name` varchar(50) COLLATE utf8_bin NOT NULL,  `email` varchar(50) COLLATE utf8_bin NOT NULL,  `username` varchar(50) COLLATE utf8_bin NOT NULL,  `password` varchar(50) COLLATE utf8_bin NOT NULL,  PRIMARY KEY (`id`)) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_bin AUTO_INCREMENT=1;

MySQL is very simple, and even from this query you can know what witch part is doing.

I made everything varchar 50 and ID (11 - 32b init) and primary key for ID as auto increment for ID.

 

So let's put some rows in this table, another query:

INSERT INTO `users` (`f_name`,`l_name`,`email`,`username`,`password`)VALUES ('Firstname', 'Lastname', '[email protected]<script cf-hash='f9e31' type="text/javascript">/*  */</script>', 'ekv', 'password321');

So now you can run query with statement to find something as:

SELECT * FROM `users` WHERE `username` = 'ekv' AND `password` = 'password321'

If you run that in your phpMyAdmin you will find this row. Why, because there is user with username 'ekv' and with password 'password321'

This is the breakpoint, if you now need to start experimenting as miss password, try with username as 'ekv1' and you will end up with

"Returned an empty result set (i.e. zero rows)", why? Becuase there is no row tih that informations.

 

So if you understand this part you can move to PHP.

PHP will do same thing for you:

 

Let's first connect to DB with PHP and start sessions.

<?php@[member='sessionshunter']_start(); // Start PHP session@$conn = mysql_connect('localhost','root','toor') or die("Fatal error, no DB accs!"); // Use host,username,password to connect do DB@mysql_select_db('mywebsite', $conn) or die("Fatal error, no DB!"); // Select DB name.        // All of those are for UTF-8.	mysql_query('SET NAMES utf8');	mysql_query("SET character_set_client = 'utf8'");	mysql_query("SET character_set_connection = 'utf8'");	mysql_query("SET character_set_results = 'utf8'");	mysql_query("SET character_set_server = 'utf8'");

You don't really need lines after 4. line. But if you do have them then your code supports UTF-8, that is rly good to have.

I'm Serbian and Serbian letters are same as Russian. So we need UTF-8.

If you dont need UTF-8 just don't put queries after 4. line.

 

Now we need to make isset. With same MySQL query that we used before to check if user exists.

if(isset($_POST['username']) && isset($_POST['password'])) { // Isset bypass error of making two files for login.// Sme query that we used before$login_query = mysql_query("SELECT * FROM `users` WHERE `username` = '".$_POST['username']."' AND `password` = '".$_POST['password']."'");        // If number of rows is == to 0 (zero) then return error.	if(mysql_num_rows($admin) == 0) {                // Pick error, as this.		die("Wrong username or password.");        // If there is user:	} else {                // Use same query to fetch in array all abou that user, so you can put his ID in session.		$user = mysql_fetch_array($login_query, MYSQL_ASSOC);			$_SESSION['user_id'] = $user['id'];	}}?>

Simple as that, now we just need HTML form, that is rly sample.

<form method="POST" action="">	<input type="text" placeholder="Username" name="username">	<br>	<input type="text" placeholder="Password" name="password">	<br>	<input type="submit" value="Login"></form>

Simple HTML form with method POST and placeholder in textbox, and one submit button.

 

Here is whole file, let's name it "login.php"

<?php@[member='sessionshunter']_start(); // Start PHP session@$conn = mysql_connect('localhost','root','toor') or die("Fatal error, no DB accs!"); // Use host,username,password to connect do DB@mysql_select_db('mywebsite', $conn) or die("Fatal error, no DB!"); // Select DB name.    // All of those are for UTF-8.	mysql_query('SET NAMES utf8');	mysql_query("SET character_set_client = 'utf8'");	mysql_query("SET character_set_connection = 'utf8'");	mysql_query("SET character_set_results = 'utf8'");	mysql_query("SET character_set_server = 'utf8'");if(isset($_POST['username']) && isset($_POST['password'])) { // Isset bypass error of making two files for login.// Sme query that we used before$login_query = mysql_query("SELECT * FROM `users` WHERE `username` = '".$_POST['username']."' AND `password` = '".$_POST['password']."'");    // If number of rows is == to 0 (zero) then return error.	if(mysql_num_rows($admin) == 0) {        // Pick error, as this.		die("Wrong username or password.");        // If there is user:	} else {        // Use same query to fetch in array all abou that user, so you can put his ID in session.		$user = mysql_fetch_array($login_query, MYSQL_ASSOC);			$_SESSION['user_id'] = $user['id'];	}}?><form method="POST" action="">	<input type="text" placeholder="Username" name="username">	<br>	<input type="text" placeholder="Password" name="password">	<br>	<input type="submit" value="Login"></form>

So that is for login, register is same just use MySQL query i give to you.

Sorry for log post and bad english, but i'm drunk. :'D

[ashraf97]

This is the first tutorial I used way back when: http://tinsology.net/2009/06/creating-a-secure-login-system-the-right-way/

 

Note that this is a very basic walkthrough that gets you up and running but not necessarily doing things the abosolute best way. A web application with user registration and login is best handled by a framework unless the site you will be building is VERY small.

 I've done everything up to the logging in part, when i enter my user (ash) and password (password) and press register the site just crashes, it says safari has crashed. this is my code for my register.php:

 

<form name="register" action="register.php" method="post">

    Username: <input type="text" name="username" maxlength="30" />

    Password: <input type="password" name="pass1" />

    Password Again: <input type="password" name="pass2" />

    <input type="submit" value="Register" />

</form>

 

<?php

 

$username = $_POST['username'];

$pass1 = $_POST['pass1'];

$pass2 = $_POST['pass2'];

if($pass1 != $pass2)

    header('Location: register.php');

if(strlen($username) > 30)

    header('Location: register.php');

 

$hash = hash('sha256', $pass1);

 

function createSalt()

{

    $string = md5(uniqid(rand(), true));

    return substr($string, 0, 3);

}

$salt = createSalt();

$hash = hash('sha256', $salt . $hash);

$dbhost = 'localhost';

$dbname = 'Users';

$dbuser = 'ash';

$dbpass = 'password';

$conn = mysql_connect($dbhost, $dbuser, $dbpass);

mysql_select_db($dbname, $connect);

$username = mysql_real_escape_string($username);

$query = "INSERT INTO users ( username, password, salt )

        VALUES ( '$username' , '$hash' , '$salt' );";

mysql_query($query);

mysql_close();

header('Location:login_form.php');

?>

 

 

and this is my login_form.php:

 

<form name="login" action="login.php" method="post">

    Username: <input type="text" name="username" />

    Password: <input type="password" name="password" />

    <input type="submit" value="Login" />

</form>

 

<?php

$username = $_POST['username'];

$password = $_POST['password'];

 

$username = mysql_real_escape_string($username);

$query = "SELECT password, salt

        FROM users

        WHERE username = '$username';";

$result = mysql_query($query);

if(mysql_num_rows($result) < 1) //no such user exists

{

    header('Location: login_form.php');

}

$userData = mysql_fetch_array($result, MYSQL_ASSOC);

$hash = hash('sha256', $userData['salt'] . hash('sha256', $password) );

if($hash != $userData['password'])

{

    header('Location: login_form.php');

}

?>

 

 

whats wrong?

[SSL]

 

 I've done everything up to the logging in part, when i enter my user (ash) and password (password) and press register the site just crashes, it says safari has crashed. this is my code for my register.php:

 

I'm not sure how that would be causing Safari to crash. Anything in your web server log?

 

[ashraf97]

I'm not sure how that would be causing Safari to crash. Anything in your web server log?

 

no not sure but when i add the header to the bottom of the register script it just crashes? but then i take it out it works again?

 

header('Location: login_form.php');

[ashraf97]

I'm not sure how that would be causing Safari to crash. Anything in your web server log?

 

when i take out the headers from both the register form and the login form they both open but it doesn't exactly execute anything,i looked up why it said that when i added the headers it creates too many redirects so in turn it just crashes?

[SSL]

no not sure but when i add the header to the bottom of the register script it just crashes? but then i take it out it works again?

 

header('Location: login_form.php');

 

Calls to the header function need to be before there is any html output to the browser. This is because they are setting the header of the server response. If you have html in your php script first, the server will start buffering the response and won't let you set the header.

 

The html for the form should go in register_form.php, not in register.php.

 

[ashraf97]

Calls to the header function need to be before there is any html output to the browser. This is because they are setting the header of the server response. If you have html in your php script first, the server will start buffering the response and won't let you set the header.

 

The html for the form should go in register_form.php, not in register.php.

 

i don't have another file called register_form.php i only have a register.php. so what should i do?

[SSL]

i don't have another file called register_form.php i only have a register.php. so what should i do?

 

MAKE a file called register_form.php and put the html for the form in that page (along with the html structure of a normal page, <html><head>, etc) and remove all HTML from register.php.

[ashraf97]

 

Sorry if I fail while coding because i will not debug this script, but i will try to show you how everything works.

 

You have PHP script and MySQL DB. Let's start with MySQL.

MySQL is very, very simple, you have Database -> Table -> Columns -> Rows.

So let's make one database with table "Users" and columns like "ID, fist name, last name, email, username, password", that is like basic if you want to have users.

Every row needs to have his own ID, that is like number of citizen ID card, or whatever.

 

So let's make database:

CREATE DATABASE `mywebsite`CREATE TABLE IF NOT EXISTS `users` (  `id` int(11) NOT NULL AUTO_INCREMENT,  `f_name` varchar(50) COLLATE utf8_bin NOT NULL,  `l_name` varchar(50) COLLATE utf8_bin NOT NULL,  `email` varchar(50) COLLATE utf8_bin NOT NULL,  `username` varchar(50) COLLATE utf8_bin NOT NULL,  `password` varchar(50) COLLATE utf8_bin NOT NULL,  PRIMARY KEY (`id`)) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_bin AUTO_INCREMENT=1;

MySQL is very simple, and even from this query you can know what witch part is doing.

I made everything varchar 50 and ID (11 - 32b init) and primary key for ID as auto increment for ID.

 

So let's put some rows in this table, another query:

INSERT INTO `users` (`f_name`,`l_name`,`email`,`username`,`password`)VALUES ('Firstname', 'Lastname', '[email protected]<script cf-hash='f9e31' type="text/javascript">/*  */</script>', 'ekv', 'password321');

So now you can run query with statement to find something as:

SELECT * FROM `users` WHERE `username` = 'ekv' AND `password` = 'password321'

If you run that in your phpMyAdmin you will find this row. Why, because there is user with username 'ekv' and with password 'password321'

This is the breakpoint, if you now need to start experimenting as miss password, try with username as 'ekv1' and you will end up with

"Returned an empty result set (i.e. zero rows)", why? Becuase there is no row tih that informations.

 

So if you understand this part you can move to PHP.

PHP will do same thing for you:

 

Let's first connect to DB with PHP and start sessions.

<?php@[member='sessionshunter']_start(); // Start PHP session@$conn = mysql_connect('localhost','root','toor') or die("Fatal error, no DB accs!"); // Use host,username,password to connect do DB@mysql_select_db('mywebsite', $conn) or die("Fatal error, no DB!"); // Select DB name.        // All of those are for UTF-8.	mysql_query('SET NAMES utf8');	mysql_query("SET character_set_client = 'utf8'");	mysql_query("SET character_set_connection = 'utf8'");	mysql_query("SET character_set_results = 'utf8'");	mysql_query("SET character_set_server = 'utf8'");

You don't really need lines after 4. line. But if you do have them then your code supports UTF-8, that is rly good to have.

I'm Serbian and Serbian letters are same as Russian. So we need UTF-8.

If you dont need UTF-8 just don't put queries after 4. line.

 

Now we need to make isset. With same MySQL query that we used before to check if user exists.

if(isset($_POST['username']) && isset($_POST['password'])) { // Isset bypass error of making two files for login.// Sme query that we used before$login_query = mysql_query("SELECT * FROM `users` WHERE `username` = '".$_POST['username']."' AND `password` = '".$_POST['password']."'");        // If number of rows is == to 0 (zero) then return error.	if(mysql_num_rows($admin) == 0) {                // Pick error, as this.		die("Wrong username or password.");        // If there is user:	} else {                // Use same query to fetch in array all abou that user, so you can put his ID in session.		$user = mysql_fetch_array($login_query, MYSQL_ASSOC);			$_SESSION['user_id'] = $user['id'];	}}?>

Simple as that, now we just need HTML form, that is rly sample.

<form method="POST" action="">	<input type="text" placeholder="Username" name="username">	<br>	<input type="text" placeholder="Password" name="password">	<br>	<input type="submit" value="Login"></form>

Simple HTML form with method POST and placeholder in textbox, and one submit button.

 

Here is whole file, let's name it "login.php"

<?php@[member='sessionshunter']_start(); // Start PHP session@$conn = mysql_connect('localhost','root','toor') or die("Fatal error, no DB accs!"); // Use host,username,password to connect do DB@mysql_select_db('mywebsite', $conn) or die("Fatal error, no DB!"); // Select DB name.    // All of those are for UTF-8.	mysql_query('SET NAMES utf8');	mysql_query("SET character_set_client = 'utf8'");	mysql_query("SET character_set_connection = 'utf8'");	mysql_query("SET character_set_results = 'utf8'");	mysql_query("SET character_set_server = 'utf8'");if(isset($_POST['username']) && isset($_POST['password'])) { // Isset bypass error of making two files for login.// Sme query that we used before$login_query = mysql_query("SELECT * FROM `users` WHERE `username` = '".$_POST['username']."' AND `password` = '".$_POST['password']."'");    // If number of rows is == to 0 (zero) then return error.	if(mysql_num_rows($admin) == 0) {        // Pick error, as this.		die("Wrong username or password.");        // If there is user:	} else {        // Use same query to fetch in array all abou that user, so you can put his ID in session.		$user = mysql_fetch_array($login_query, MYSQL_ASSOC);			$_SESSION['user_id'] = $user['id'];	}}?><form method="POST" action="">	<input type="text" placeholder="Username" name="username">	<br>	<input type="text" placeholder="Password" name="password">	<br>	<input type="submit" value="Login"></form>

So that is for login, register is same just use MySQL query i give to you.

Sorry for log post and bad english, but i'm drunk. :'D

 

Parse error: syntax error, unexpected '=' on line 2, can't figure it out

this is the line, whats incorrect

 

@[member=Member] ='sessionshunter'_start(); // Start PHP session

[Lumi]

$login_query = mysql_query("SELECT * FROM `users` WHERE `username` = '".$_POST['username']."' AND `password` = '".$_POST['password']."'");

So that is for login, register is same just use MySQL query i give to you.

Sorry for log post and bad english, but i'm drunk. :'D

 

Where is bobby tables?

http://xkcd.com/327/

[ashraf97]

last question, why does it error when i press the register button, the error is "Parse error: syntax error, unexpected end of file"

 

 
<?php
 
$username = (isset($_POST['username']));
$pass1 = (isset($_POST['pass1']));
$pass2 = (isset($_POST['pass2']));
if (isset( $_POST['Register'] ) ){
 
echo "login_form.php";
 
if($pass1 != $pass2);{
 
    header('Location: register.php');
 
if(strlen($username) > 30)
    header('Location: register.php');
 
$hash = hash('sha256', $pass1);
 
function createSalt()
{
    $string = md5(uniqid(rand(), true));
    return substr($string, 0, 3);
}
$salt = createSalt();
$hash = hash('sha256', $salt . $hash);
$dbhost = 'localhost';
$dbname = 'Users';
$dbuser = 'ash';
$dbpass = 'password';
$conn = mysql_connect($dbhost, $dbuser, $dbpass);
mysql_select_db($dbname, $conn);
$username = mysql_real_escape_string($username);
$query = "INSERT INTO users ( username, password, salt ) 

        VALUES ( '$username' , '$hash' , '$salt' );";

mysql_query($query);

mysql_close();

 

header('Location: login_form.php')

 

?>

[code]

[ekv]

Parse error: syntax error, unexpected '=' on line 2, can't figure it out

this is the line, whats incorrect

 

@[member=Member] ='sessionshunter'_start(); // Start PHP session

 

It's some forum error, it's soud say @ses.sion_start(); (without of dot) i'm not sure why forum keep changin that?

 

I will edit post.