Forums

The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums Back End PHP login page (noob warning)

  • This topic is empty.
Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • August 1, 2014 at 8:28 am #177210
    matt_sanford
    Participant

    Hey guys I have a simple php login here that I am looking to utilize but the problem I am running–more where my experience is showing–is that I don’t know how to actually require a login in the event that a user were just to input the endpoint url for the login script.
    Here is what I got so far:
    html

    <form action="checklogin.php" method="post">
<h1>Sign In Here:</h1>
<input type="text" name="username">
<input type="text" name="password" for="pass">
<input type="submit" value="submit" name="submit">
</form>
    <?php 

$username = $_POST['username'];
$password = $_POST['password'];
 
$mysqli = new mysqli('dlocalhost', 'user', 'pass', 'table');
 
$username = $mysqli->real_escape_string($username);
 
$query = "SELECT *
        FROM login
        WHERE username = '$username' AND password = '$password';";
 
$result = $mysqli->query($query);
 
if($result->num_rows == 0) // 
{
     header('Location: index.php');
}
 
$userData = mysqli_fetch_array($result, MYSQL_ASSOC);
 
if($password != $userData['password']) // Incorrect password. So, redirect to login_form again.
{
 header('Location: index.php'); 
}else{ // Redirect to home page after successful login.
    header('Location: home.html');
}

 ?>
    August 1, 2014 at 11:45 am #177229
    __
    Participant

    The answer to your specific question is to check that the user is logged in before showing them any restricted content. Sessions are an easy way to keep track of this: when logging in, set a session variable that indicates they have authenticated recently. If that variable is not set, then your restricted pages can refuse to display their content (and/or redirect to the login page).

    I’m no PHP expert, but on a side note it doesn’t look like you’re protecting against SQL injection attacks.

    True. It’s great that you’re using the current mysqli library: you should also use prepared statements.

    You are also (it would seem) storing your user’s passwords in plain text, which is a big security problem. You should hash the passwords for storage; the actual password itself should never be saved anywhere in your application.

    PHP 5.5 has some built-in password functions that make password hashing much easier. If you are using an older PHP version, there is a userland library that provides these same functions.

  • Author
    Posts
Viewing 2 posts - 1 through 2 (of 2 total)
  • The forum ‘Back End’ is closed to new topics and replies.