Secure Login script

WebWatcher · Feb 12, 2008

Hey
Can somebody please point me in the right direction to find a secure login script that is easy to use and would keep web pages restricted to members access. Preferbably using mysql

Many thanks in advance

JonnyH · Feb 12, 2008

Hotscripts.com

WebWatcher · Feb 12, 2008

yeah i know about hotscripts but can somebody suggest a decent one to use?

Secret · Feb 12, 2008

pscode.com - all scripts free to use

iBrightDev · Feb 12, 2008

index.php

PHP:

<?php # index.php

require_once('includes/phpconnect.php'); // Connect to the database.

// Send NOTHING to the Web browser prior to the session_start() line!

// Check if the form has been submitted
if (isset($_POST['submitted'])) {

	$errors = array(); // Initialize error array.
	
	//Check for a username
	if (empty($_POST['username'])) {
		$errors[] = 'You need to enter a username.';
	} else {
		$n = mysql_real_escape_string($_POST['username']);
	}
	
	//Check for a password
	if (empty($_POST['password'])) {
		$errors[] = 'You need to enter a password.';
	} else {
		$p = mysql_real_escape_string($_POST['password']);
	}
	
	if (empty($errors)) { //If everything's OK.
	
		/* Retrieve the user and pass
		for username and password combination */
		$query = "SELECT * FROM TABLE_NAME_HERE WHERE user='$n' AND pass='$p'";
		$result = mysql_query ($query); // Run the query
		$row = mysql_fetch_array ($result, MYSQL_NUM); // Return a record, if applicable.
		
		if ($row) { // A record was pulled from the database.
		
			// Set the session data & redirect.
			session_name ('uID');
			session_start();
			$_SESSION['fname'] = $row[0];
			$_SESSION['lname'] = $row[1];
			$_SESSION['user'] = $row[2];
			$_SESSION['pass'] = $row[3];
			$_SESSION['agent'] = md5($_SERVER['HTTP_USER_AGENT']);
			
			// Redirect the user to the loggedin.php page.
			// Start defining the URL.
			$url = $strAdminURL;
			// Check for a trailing slash
			if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
				$url = substr ($url, 0, -1); // Chop off the slash.
			}
			// Add the page.
			$url .= '/admin.php';
			
			header("Location: $url");
			exit(); // Quit the script.
			
		} else { // No record matched the query.
			$errors[] = 'The username and password you entered do not match those on file.';  // Public Message.
		}
		
	} // End of if (empty($errors)) IF
	
	mysql_close(); // Closes the database connection.
	
} else { // Form has not been submitted.

	$errors = NULL;
	
}

?>

<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1250">
<title><?=$pT.' - Powered by Bright';?></title>
<link rel="stylesheet" href="../includes/css/style.css" type="text/css" />
</head>
<body bgcolor="#dedede" topmargin="0" leftmargin="0"> 

Welcome to the admin panel.  Please login to start editing the site to your specifications.
<br><br>


<?

if (!empty($errors)) { // Print any error messages.
	echo 'Error!<br/>
	The following error(s) occured:<br/>';
	foreach ($errors as $msg) { // Print each error.
		echo " - $msg<br/>\n";
	}
	echo '<br/>Please try again.<br/>';
}

// Create the form.

// Error message if someone trys to bypass the login.
if (isset($_GET['error'])) {
	echo 'Error!<br/>
	The following error(s) occured:<br/>';
	echo ' - Please enter a username and password to access the admin panel.<br/>';
}

?>


<b>Login</b>
<form action="index.php" method="post">
	<p>Username:<br>
	<input class="textArea" type="text" name="username" size="20" maxlength="40" /><br/>
	Password:<br>
	<input class="textArea" type="password" name="password" size="20" maxlength="20" /></p>
	<p><input type="submit" name="submit" value="Login" /></p>
	<input type="hidden" name="submitted" value="TRUE" />
</form>

</body>
</html>

process.php

PHP:

<?php # process.php
# User is checked here after login.

session_name ('uID');
session_start(); // Start the session

// If no session value is present, redirect the user
if (!isset($_SESSION['agent']) OR ($_SESSION['agent'] != md5($_SERVER['HTTP_USER_AGENT'])) ) {

	// Start defining the URL
	$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
	// Check for a trailing slash
	if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
		$url = substr ($url, 0, -1); // Chop off the slash.
	}
	$url .= '/index.php?error=1'; // Add the page.
	header("Location: $url");
	exit(); // Quit the script.
}

?>

phpconnect.php

PHP:

<?php

//error_reporting(E_ALL);

// Set the database access information as constants.
DEFINE ('DB_USER', 'DB_USER_NAME_HERE');
DEFINE ('DB_PASSWORD', 'DB_PASSWORD_HERE');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'DB_NAME_HERE');

// Make the connection.
$dbc = mysql_connect (DB_HOST, DB_USER, DB_PASSWORD) OR die ('Could cont connect to MySQL: ' . mysql_error() );

// Select the database.
mysql_select_db (DB_NAME) OR die ('Could not select the database: ' . mysql_error() );

?>

admin.php

PHP:

<?php 

require_once ('process.php');
include ('includes/phpconnect.php');

?>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Admin
</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

</head>

<body>
<span class="accName"><? echo "You are logged in as:<br/>{$_SESSION['fname']} {$_SESSION['lname']}"; ?></span><a href="<?=$strAdminURL;?>admin.php">Admin Home</a><img class="seperator" src="<?=$strGlobalImages;?>toolbar_seperator.jpg" width="2" height="19"><a href="logout.php">Log Out</a>

Welcome to the admin panel.
</body>
</html>

logout.php

PHP:

<?php

session_name ('uID'); // define the session to logout of.
session_start(); // declare that we are using sessions
unset($_SESSION['user'], $_SESSION['pass'], $_SESSION['agent']); // unset our sessions
session_destroy(); // now destory them and remove them from the users browser

// Start defining the URL
$url = 'http://' . $_SERVER['HTTP_HOST'];

// Check for a trailing slash
if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
	$url = substr ($url, 0, -1); // Chop off the slash.
}

$url .= '/index.php'; // Add the page.

header("Location: $url"); // forward you to a page of your choice

exit(); // exit

?>

iBrightDev · Feb 12, 2008

ok, i know i have posted this before, and you would have to actually search, but, i just put it in the free script section, so, here is a link to one.

http://freewebspace.net/forums/showthread.php?p=960930#post960930

Secret · Feb 12, 2008

I guess you missed the logout.php

Code:

<?
session_destroy();
?>
You are now logged out.

@methodcomptech: hey, just make sure you didn't give any of your password to the world:

DEFINE ('DB_USER', '*******');
DEFINE ('DB_PASSWORD', '*******');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', '*******');

iBrightDev · Feb 12, 2008

Secret said:
I guess you missed the logout.php

Code:

<? session_destroy(); ?> You are now logged out.

do you really need me to tell you how to log out too?

**There, it is posted now too**

BTW, i would just like to say that having this script really doesnt no one any good if you dont understand how it even works or know php. to really use this script, you should seriously sit down and learn php. it does you no good to have a secure login if you dont know how to do anything else after you do the login. So, just as a suggestion, go to your local bookstore, and pick up a book so you can better understand the scripts posted on the site.

Secret · Feb 12, 2008

do you really need me to tell you how to log out too?

err.... Yes... not everyone is as good as you in php

just curious:

session_name ('uID'); // define the session to logout of.
session_start(); // declare that we are using sessions
unset($_SESSION['user'], $_SESSION['pass'], $_SESSION['agent']); // unset our sessions
session_destroy(); // now destory them and remove them from the users browser

<?
session_destroy();
?>

Does these 2 make any difference? Aren't they just the same? I mean, why do we need to use session_start again?

Thanks.

iBrightDev · Feb 12, 2008

mine just looks to see if anyone is actually even logged in, adn if so, what user your are logged in as so that it kills the session for that specific user.

and yeah, you make a good point about needing the logout too, just figure that if someone is going to use this, they should probably have some knowledge of php before even messing with it.

Secret · Feb 12, 2008

Ok, thanks for the explainantion.

If you use the real password (real server's password) for the example (up there), don't forget to change the password (i don't know what password is it.. it looks like cpanel-style) in your server. Just in case

iBrightDev · Feb 12, 2008

i am not using a server password anywhere :S

TSO · Feb 12, 2008

Thanks for sharing! This will be pretty useful.

hamster · Feb 19, 2008

Thanks for the script methodcomptech

I'll be taking apart that script line by line learning everything soon

Secure Login script

WebWatcher

New Member

JonnyH

The Hosting Tool

WebWatcher

New Member

Secret

Active Member

iBrightDev

Jay Street

iBrightDev

Jay Street

Secret

Active Member

iBrightDev

Jay Street

Secret

Active Member

iBrightDev

Jay Street

Secret

Active Member

iBrightDev

Jay Street

TSO

freezoka.ws

hamster

Super Moderator