Creating a website login

[knows_something]

It's all quite simple: all I have to do is create an admin login on my site that will allow him to change database info in a browser. It's not a big project, just something for school so I'll be using XAMPP for server. My knowledge is pretty limited to only HTML, CSS, PHP and a little bit of Javascript. I searched the web for a solution but nothing really looked like something i need. I don't know how I'd go about this because I've never done anything like this. What would you recommend? 

Thanks in advance

[Isakwang]

does it need to be secure?. if not you can just create a page that you just navigate to via url

 

more secure version http://stackoverflow.com/questions/4326971/show-content-only-if-logged-in

[knows_something]

Just now, Isakwang said:

does it need to be secure?. if not you can just create a page that you just navigate to via url

 

more secure version http://stackoverflow.com/questions/4326971/show-content-only-if-logged-in

the password is MD5 encrypted in my database and that's basically all it has to be. I don't really understand what that does

[Isakwang]

when you log in(just use something basic) it checks if you are an admin. if yes it enables a button allowing you to access the panel. you should also add a fucntion on the panel that checks that token again to make sure whoever wants to accsess it really is admin,

[knows_something]

Just now, Isakwang said:

when you log in(just use something basic) it checks if you are an admin. if yes it enables a button allowing you to access the panel. you should also add a fucntion on the panel that checks that token again to make sure whoever wants to accsess it really is admin,

 

sorry. bad page. new one coming

I just don't know how to check if the user in field user matches the one it the database. 

[Isakwang]

<?php
session_start();
if ($_SESSION['tillatelser'] == "admin"){
echo "<a href='adminSide.php'>adminSide</a>";
}
?>

 

 

What you do is create a basic login function. then when you log in you check if the person that logged in has the right permission

[knows_something]

13 minutes ago, Isakwang said:

<?php
session_start();
if ($_SESSION['tillatelser'] == "admin"){
echo "<a href='adminSide.php'>adminSide</a>";
}
?>

My friend helped me out, but thanks for your help anyway. You're the only one who answered

[vorticalbox]

41 minutes ago, knows_something said:

My friend helped me out, but thanks for your help anyway. You're the only one who answered

if you're using a check liek that use $isset($SESSION['']) else you will get undefind index error when not logged in.

[knows_something]

At the end THIS site helped me get everything running. 

[colonel_mortis]

7 minutes ago, knows_something said:

At the end THIS site helped me get everything running. 

That site encourages you to store the password in plain text in the database. Let me make this very clear,

Never, under any circumstances, store passwords in plain text

If your website got hacked, the attacker would then have a list of plain text passwords, which they could then use to log into your website or any of the other sites that your users have reused their passwords on. I know your project isn't particularly important, but it is an incredibly bad habit to get into. Instead, you should use PHP's built in password_hash and password_verify functions.

You might say that you've designed your website to not be hackable. If you used the code that was provided in the site that you linked, your website is already hackable, because their code includes an SQL injection vulnerability. The offending bit of code is this:

$query = mysql_query("SELECT *  FROM UserName where userName = '$_POST[user]' AND pass = '$_POST[pass]'") or die(mysql_error());

You don't have any checks to make sure that $_POST['user'] and $_POST['pass'] (aside: user and pass need to be quoted, and not doing so will result in PHP warnings) are safe. If I were a malicious user, I could make $_POST['pass'] something like

1' OR 1=1 --

The resulting query would be

SELECT *  FROM UserName where userName = 'username' AND pass = '1' OR 1=1 --'

(-- is the start of a comment). Hopefully you can see that would be a problem, because it would always be true, so it would log you in successfully, even though the password is wrong.

If you just try to patch what you have to prevent that, it won't work. There are far more sophisticated attacks, that can bypass pretty much anything that you do to try and sanitise the string. The correct way to handle user input is to pass it though mysqli_real_escape_string before including it in the SQL query, or, ideally, use prepared queries.

 

You should also be using mysqli rather than the plain mysql, because the plain mysql library is insecure and has been removed as of PHP7. mysqli is 100% compatible with the normal MySQL database engine, but it's safer and generally better.

[vorticalbox]

1 hour ago, colonel_mortis said:

-snip

mysql has also been replaced ith mysqli. I would also look into using PDO for your database stuff.

[colonel_mortis]

2 minutes ago, vorticalbox said:

mysql has also been replaced ith mysqli. I would also look into using PDO for your database stuff.

 

1 hour ago, colonel_mortis said:

You should also be using mysqli rather than the plain mysql, because the plain mysql library is insecure and has been removed as of PHP7. mysqli is 100% compatible with the normal MySQL database engine, but it's safer and generally better.

PDO is good, but more tutorials online seem to teach mysql(i), which does make it more beginner friendly, though, thinking about it, that can also be a bad thing because there are lots of tutorials, such as that one, that do it wrong.

It is actually possible to do prepared queries using mysqli, but PDO is better designed for it.

What I'm trying to say is that it's mostly just personal preference, and neither is significantly better than the other, though PDO does encourage better form.

[vorticalbox]

conn.php

 

<?php
class db {

    private static $handle;

    public static function connect($host, $username, $password, $db){
        self::$handle = new PDO("mysql:host={$host};dbname={$db}", $username, $password);
        self::$handle->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING );
    }

    public static function query($sql, $args=null){
        $sth = self::$handle->prepare($sql);
        $sth->execute($args);
        return $sth;
    }

}
try
{
	db::connect("127.0.0.1", "root", "password", "dbname");
}catch(Exception $e)
{
	die("No connection to database");
}

?>

then  you can just call the file with includes('conn.php');

For a login page something like this.

 

<?php
session_start();

if(isset($_POST['login']))
{

	include_once('conn.php');
	
	$username = strtolower($_POST['username']);
	
	$result = db::query("select * from users where Username=:u and Password=:p", 
	array(":u"=>$username, ":p"=>sha1($_POST['password'])));
	$rows = $result->fetch(PDO::FETCH_NUM);
	if($rows > )
	{
		$_SESSION['login']=$_POST['username'];
		header("location: index.php");
		exit();
	}else
	{
		$_SESSION['message'] = "Login incorrect";
	}
}

?>

<article>
<?php
	if(isset($_SESSION['message']))
	{
		echo $_SESSION['message'];
		unset($_SESSION['message']);
	}
?>
	<form method='post' action''>
		<input name='username' placeholder='username' required>
		<input type='password' name='password' placeholder='password' required>
		<input name='login' type="submit">
	</form>
</article>

 

[Blade of Grass]

On 11/04/2016 at 8:03 AM, vorticalbox said:

-snip-

I would suggest against the use of SHA1 for passwords, it is far too efficient to be safely used. Bcrypt or Scrypt are far better options (specifically, through PHP's password_hash and password_verify methods). 

[vorticalbox]

On 12/04/2016 at 0:23 AM, Blade of Grass said:

I would suggest against the use of SHA1 for passwords, it is far too efficient to be safely used. Bcrypt or Scrypt are far better options (specifically, through PHP's password_hash and password_verify methods). 

yeah i will probally go to using something else, i had a project in college last year that needed to securely store user password and sha1() was super quick to add to my code to pass the that part  I know lazy.

 

Still the rest of the code should be fine I think.