kishou Posted December 23, 2007 Share Posted December 23, 2007 v11. First if you dont know what PHP is or MySQL i suggest you read my other tutorial called Mailing for a more detailed understanding of MySQL and PHP. if not here's a quick summaryVocab: die(). exits the current script more info: http://www.w3schools.com/php/default.asp2. First we create a register page and name it "register.html". and put this code in it. <html><head><title>Register!</title></head><body><form action="register.php" method="post"> Username: <input type="text" name="Username" /><br> <!--the part where the user enters in his/her username -->Password: <input type="password" name="Password" /><br> <!-- This is where the user enters in his/her password -->Confirm Password: <input type="password" name="ConfirmPassword" /><br> <!-- This part is the confirmation password so the user has to enter in his/her password again.Email: <input type="text" name="Email" /><br> <!-- This part the user enters in his/her email. -->Confirm Email: <input type="text" name="ConfirmEmail" /><br> <!-- In this part the user enters in his/her email again. --><input type="Submit" name="Submit" /><br> <!-- This is the submit button that the user clicks --></form></body></html> 3. Create a MySQL database if you dont already have one. Make a table in "phpmyadmin" called registered_members and make 3 fields exactly named this: "Username", "Password", "Email".4. Make a new file called "register.php" in the same folder that register.html is in.In the new file put this code in it: <html><head><title>Register!<title></head><body><?php$con = mysql_connect("localhost", "kishou", "8642"); //connects to your database and change the kishou name to the name of your MySQL username and change the 8642 part to the password of your MySQL.if (!$con) //If it cant connect it ends all the functions which is what die is. and then it prints couldnt connect to database.{die('Couldnt connect to Database' );}mysql_select_db("kishou_website", $con); //change the kishou_website name to the name of your database.$email=$_POST["Email"]; //This part we're making a new variable called email and it equals what the user inputted. Variables can make coding alot easier as you'll see later on.$emailconf=$_POST["ConfirmEmail"]; // we make another variable and its what the user put in the confirm email box.if ($email!==$emailconf) //now this is the part where variables come in handy. Ok so we're saying if the email that the user putted is not equal to the thing the user inputted in the confirmation email it ends all fucntions which is what die does and it prins Emails do not match. and the php code for not equal is !==. also you're proly noticing alota semi collans and thats because it creates a new line of code. you like always use the semi collan. and the semi collan goes at the end of the line. or you can just press the END button on your keyboard. {die ('Emails do not match.');}$pass=$_POST["Password"]; //Now we do the same thing except for the passwords$confpass=$_POST["ConfirmPassword"];if ($pass!==$confpass){die ('Passwords do not match.');}mysql_select_db("kishou_website", $con); //we select our database again. and you hsould switch kishou_website with the name of your database.$res=mysql_query("SELECT * FROM registered_members where Username='".$_POST[Username]."'"); // in this part we check if the username the user inputted is already in the table aka registered.if (mysql_num_rows($res)>0) //if there's more than one row with the same username the database we exit all scripts with the die function and print username already taken.{die ('Username already taken!');}else$sql="INSERT INTO registered_members (Username, Password, Email) //Inserts the username and password and email that the user inputted and put it into the rows called username, password, and email.VALUES('$_POST[Username]','$_POST[Password]','$_POST[Email]')";if (!mysql_query($sql,$con)){die('Error: ' . mysql_error());}$to = "$_POST[Email]"; // This part we send the email.$subject = "Successfully Registered!";$message = "Hello! You have successfully registered to pspstuff.elementfx.com! Username:$_POST[Username], Password:$_POST[Password]"; // We give them the username that they registered with.$from = "donotrespond@something.com"; //put whatever email you want to for the from string.$headers = "From: $from";mail($to,$subject,$message,$headers);echo "Successfully Registered! Check your email!"; mysql_close($con) //Close the database connection?></body></html> 6. Make a new file called login.html and put this code in it: <html><head><title>Login</title></head><body><form action="login.php" method="post">Username: <input type="username" name="username" /><br/>Password: <input type="password" name="password" /><br/><input type="submit" value="Login" /></form></body></html> 7. Next create a new file called login.php and it should be located in the same folder as the login.html file. And put this code in the php file: <html><head><title>Login<title></head><body><?php$con = mysql_connect("localhost", "kishou", "8642"); if (!$con){die('Couldnt connect to Database' );}mysql_select_db("kishou_website", $con);$result = mysql_query("SELECT * FROM registered_members"); //we create a new variable and say what the variable does and the variable just looks in the table registered_members.$row = mysql_fetch_array($result); // we make the variable row and say that it selects all of the info in the variable result which we just defined before.if ($_POST['Username']==$row[ 'username']&&$_POST['password']==$row[ 'Password']) //This part is just saying if the username you entered equals the row in the table and the password the user entered equals a row in the table it logs in or prints login succesfullecho "Login successful";elsedie('Login failed'); //This is saying if it cant log in then it says Login in failedmysql_close($con)?></body></html> v2changes:we use mysql_real_escape_string() so someone cant sql inject.make a database called: mainwebsitemake a table called: registered_membersmake these fields with these names: username, password, email, ip1.put this in the register.php file: <html><head><title>Register!<title></head><body><?php$ip=$_SERVER['REMOTE_ADDR']; if ($_POST['Username']==false) // if person didnt fill out formdie ("Please fill out form.");elseif ($_POST['Password']==false) //if person didnt fill out formdie ("Please fill out form.");else$con = mysql_connect("localhost", "kishou", "8642"); //connects to your database and change the kishou name to the name of your MySQL username and change the 8642 part to the password of your MySQL.if (!$con) //If it cant connect it ends all the functions which is what die is. and then it prints couldnt connect to database.{die('Couldnt connect to Database' );}mysql_select_db("aaabatt_mainwebsite", $con); //change the kishou_website name to the name of your database.$email=$_POST["Email"]; //This part we're making a new variable called email and it equals what the user inputted. Variables can make coding alot easier as you'll see later on.$emailconf=$_POST["ConfirmEmail"]; // we make another variable and its what the user put in the confirm email box.if ($email!==$emailconf) //now this is the part where variables come in handy. Ok so we're saying if the email that the user putted is not equal to the thing the user inputted in the confirmation email it ends all fucntions which is what die does and it prins Emails do not match. and the php code for not equal is !==. also you're proly noticing alota semi collans and thats because it creates a new line of code. you like always use the semi collan. and the semi collan goes at the end of the line. or you can just press the END button on your keyboard.{die ('Emails do not match.');}$pass=$_POST["Password"]; //Now we do the same thing except for the passwords$confpass=$_POST["ConfirmPassword"];if ($pass!==$confpass){die ('Passwords do not match.');}mysql_select_db("aaabatt_mainwebsite", $con); //we select our database again. and you hsould switch aaabatt_website with the name of your database.$usernamemy = mysql_real_escape_string($_POST['Username']);$passwordmy = mysql_real_escape_string($_POST["Password"]);$emailmy = mysql_real_escape_string($_POST['Email']);$res=mysql_query("SELECT * FROM registered_members where Username='".$usernamemy."'"); // in this part we check if the username the user inputted is already in the table aka registered.if (mysql_num_rows($res)>0) //if there's more than one row with the same username the database we exit all scripts with the die function and print username already taken.{die ('Username already taken!');}else$sql="INSERT INTO registered_members (username, password, email, ip)VALUES('$usernamemy','$passwordmy','$emailmy','$ip')"; // insert the stuff into the database and we insert the ipaddress so u can block that ip if they do something illegally. if (!mysql_query($sql,$con)){die('Error: ' . mysql_error());}$to = "$_POST[Email]"; // This part we send the email.$subject = "Successfully Registered!";$message = "Hello! You have successfully registered to lost.kishouvision.com! Username:$_POST[Username], Password:$_POST[Password]"; // We give them the username that they registered with.$from = "dontrespond@something.com"; //put whatever email you want to for the from string.$headers = "From: $from";mail($to,$subject,$message,$headers);echo "Successfully Registered! Check your email!";mysql_close($con) //Close the database connection?></body></html> 3. put this in the login.php <html><head><title>Login<title></head><body><?phpif ($_POST['password']==false) //if form isnt filled outdie ("Please out whole form.");else$con = mysql_connect("localhost", "kishou", "8642");if (!$con){die('Couldnt connect to Database' );}mysql_select_db("aaabatt_mainwebsite", $con);$username = mysql_real_escape_string($_POST['username']); //so someone cant sql inject.$password = mysql_real_escape_string($_POST['password']);$result = mysql_query("SELECT * FROM registered_members WHERE username=\"$username\"");$row = mysql_fetch_assoc($result); // note associf ($row['password'] == $password) {echo "Login successful <br />";include("adminstuff.php"); // shows the user stuff if the user login is successfull } else {die ('Login Failed.');}mysql_close($con)?></body></html> Please dont hesistate to ask me a question about this if you dont understand something like whats MySQL or how do i create a "database" etc...link to working example of this:http://kishouvision.com/tutorials/register.htmlhttp://kishouvision.com/tutorials/login.htmluse v2 for more secure. Link to comment Share on other sites More sharing options...
boen_robot Posted December 24, 2007 Share Posted December 24, 2007 This is a VERY BAD example of how logins should be made.It has a dozen of security holes, and I'm not even sure if your login page works as you never really specify the username you'll be checking up.I tryed deleting your registered_members table, and I'm not sure if I made it, mostly because I was never able to login. Still, check if your table even exists.I also tryed deleting your whole database, and again I'm not sure if I've made it... just... check up on phpMyAdmin, will you?And if you're looking for info as to how I made it (if I have):http://unixwiz.net/techtips/sql-injection.htmlis a good demonstration.BTW, I think if you really want to show up some tutorials of your own, you should create a web site for yourself and put your tutorials there. Link to comment Share on other sites More sharing options...
SpOrTsDuDe.Reese Posted December 24, 2007 Share Posted December 24, 2007 I tried the register page, registered with account name: ryan and pw: asdfRegister page worked, to a certain point. The login page kept returning "Login Failed." Gotta fix that. Link to comment Share on other sites More sharing options...
Synook Posted December 25, 2007 Share Posted December 25, 2007 This script cannot handle more than 1 (!!) user. Take a look at these lines in login.php $result = mysql_query("SELECT * FROM registered_members"); //we create a new variable and say what the variable does and the variable just looks in the table registered_members.$row = mysql_fetch_array($result); // we make the variable row and say that it selects all of the info in the variable result which we just defined before.if ($_POST['Username']==$row[ 'username']&&$_POST['password']==$row[ 'Password']) //This part is just saying if the username you entered equals the row in the table and the password the user entered equals a row in the table it logs in or prints login succesfullecho "Login successful";elsedie('Login failed'); //This is saying if it cant log in then it says Login in failed Basically, this selects the entire table, but then reads the first record and if that record is not what the user entered in the form, the login is unsuccessful. So what happens if you are the 1+n th user in the table?Some suggestions:* Form validation, esp. empty string checking* Escaping strings to prevent SQL injection* Use of the WHERE SQL clause in login.php* Password hashing* Use of the variable island { } syntax e.g. "string {$array['element']} more string"* Redirection instead of dying* Checking of referrers to prevent XSSI would not suggest using this script for any secure application until the above problems are fixed.And btw, the ";" character is spelt longhand as "semicolon". Link to comment Share on other sites More sharing options...
SpOrTsDuDe.Reese Posted December 25, 2007 Share Posted December 25, 2007 Can the topic poster make a repost and tell us the correct login and register page? I want to add one to my website and this is a great "tutorial" please topic maker...edit the post and tell us. Link to comment Share on other sites More sharing options...
kishou Posted December 26, 2007 Author Share Posted December 26, 2007 This is a VERY BAD example of how logins should be made.It has a dozen of security holes, and I'm not even sure if your login page works as you never really specify the username you'll be checking up.I tryed deleting your registered_members table, and I'm not sure if I made it, mostly because I was never able to login. Still, check if your table even exists.I also tryed deleting your whole database, and again I'm not sure if I've made it... just... check up on phpMyAdmin, will you?And if you're looking for info as to how I made it (if I have):http://unixwiz.net/techtips/sql-injection.htmlis a good demonstration.BTW, I think if you really want to show up some tutorials of your own, you should create a web site for yourself and put your tutorials there.it does work. and i just registered 2 ppl...(content removed) Link to comment Share on other sites More sharing options...
kishou Posted December 26, 2007 Author Share Posted December 26, 2007 This script cannot handle more than 1 (!!) user. Take a look at these lines in login.php$result = mysql_query("SELECT * FROM registered_members"); //we create a new variable and say what the variable does and the variable just looks in the table registered_members.$row = mysql_fetch_array($result); // we make the variable row and say that it selects all of the info in the variable result which we just defined before.if ($_POST['Username']==$row[ 'username']&&$_POST['password']==$row[ 'Password']) //This part is just saying if the username you entered equals the row in the table and the password the user entered equals a row in the table it logs in or prints login succesfullecho "Login successful";elsedie('Login failed'); //This is saying if it cant log in then it says Login in failed Basically, this selects the entire table, but then reads the first record and if that record is not what the user entered in the form, the login is unsuccessful. So what happens if you are the 1+n th user in the table?Some suggestions:* Form validation, esp. empty string checking* Escaping strings to prevent SQL injection* Use of the WHERE SQL clause in login.php* Password hashing* Use of the variable island { } syntax e.g. "string {$array['element']} more string"* Redirection instead of dying* Checking of referrers to prevent XSSI would not suggest using this script for any secure application until the above problems are fixed.And btw, the ";" character is spelt longhand as "semicolon". it can handle more than 1 user. and thanks for those suggestions i'll read up about those! Link to comment Share on other sites More sharing options...
zppblood Posted December 26, 2007 Share Posted December 26, 2007 Your register.php does have some security holes.- SQL Injections (use mysql_real_escape_string($_POST['username'] for every $_POST)- XSS (use html_entities($_POST['username'], ENT_QUOTES, 'encoding_you_are_using'))- Email Injection (they will be able to spam by sending email to others through the email headers) Link to comment Share on other sites More sharing options...
boen_robot Posted December 27, 2007 Share Posted December 27, 2007 it does work. and i just registered 2 ppl...(quoted content removed) Errr... riiiight. By trying to delete your database and/or table, it was never my intention to... eh em... copulate with you. Since you were using this as a demo for your login script, rather than on a live site which must stay alive, showing you in practice what can go wrong by using this "sandbox" is just the best way to teach you why your approach was totally wrong, without causing any big damage.Now that I think of it, with a little more imagination, I could have mailed myself your password. Then, if you happen to use the same password for your hosting account, I could go there and replace the login page with something like a message saying "Hacked by boen_robot, who's not really a great hacker, just happens to have encounter a very bad login/register 'tutorial'". Hmmm....ok, NOW I'm just kidding with you. But seriously, it IS possible. While writing this, I'm fighting with myself as to whether I should try it or not, so I advise you to change your hosting account password, just in case my "wanna be a hacker" side wins . Link to comment Share on other sites More sharing options...
kishou Posted December 27, 2007 Author Share Posted December 27, 2007 Errr... riiiight. By trying to delete your database and/or table, it was never my intention to... eh em... copulate with you. Since you were using this as a demo for your login script, rather than on a live site which must stay alive, showing you in practice what can go wrong by using this "sandbox" is just the best way to teach you why your approach was totally wrong, without causing any big damage.Now that I think of it, with a little more imagination, I could have mailed myself your password. Then, if you happen to use the same password for your hosting account, I could go there and replace the login page with something like a message saying "Hacked by boen_robot, who's not really a great hacker, just happens to have encounter a very bad login/register 'tutorial'". Hmmm....ok, NOW I'm just kidding with you. But seriously, it IS possible. While writing this, I'm fighting with myself as to whether I should try it or not, so I advise you to change your hosting account password, just in case my "wanna be a hacker" side wins .wats funny is in this tut thats not my login password i just changed it so something like this wouldnt happen. Link to comment Share on other sites More sharing options...
killboy Posted December 27, 2007 Share Posted December 27, 2007 Is it that nobody here likes the OOP? Link to comment Share on other sites More sharing options...
boen_robot Posted December 30, 2007 Share Posted December 30, 2007 wats funny is in this tut thats not my login password i just changed it so something like this wouldnt happen. If you mean the one in your PHP script for your databse - sure. What I had in mind was the password for your account within the databse. THAT may easily be exploited, and as I said, with a little more imagination, it may even be mailed to an arbitary email.Is it that nobody here likes the OOP?Yeah. About that... I'm wondering myself too. I guess it's just that MySQLi is not that much supported in hosts, and people that write "tutorials" want to be compatible with as most hosts and PHP versions as possible, which is all for a good reason of course. Link to comment Share on other sites More sharing options...
killboy Posted December 30, 2007 Share Posted December 30, 2007 Yeah. About that... I'm wondering myself too. I guess it's just that MySQLi is not that much supported in hosts, and people that write "tutorials" want to be compatible with as most hosts and PHP versions as possible, which is all for a good reason of course.What do you mean? MySQL is widely supported as long as I know, so is Object-Oriented Programming, although in most of public hosts you'll have to adapt it to PHP 4; meaning that you'll have to change "public function" and "private function" for nothing but "function".The real root (for me) of the problem, is that most of people seem to be frightened by the OOP, but they totally ignore how easy it makes your life. Link to comment Share on other sites More sharing options...
boen_robot Posted December 30, 2007 Share Posted December 30, 2007 What do you mean? MySQL is widely supported as long as I know, so is Object-Oriented Programming, although in most of public hosts you'll have to adapt it to PHP 4; meaning that you'll have to change "public function" and "private function" for nothing but "function".The real root (for me) of the problem, is that most of people seem to be frightened by the OOP, but they totally ignore how easy it makes your life.MySQL and MySQLi are two different PHP extensions, both of which deal with handling the MySQL database engine. The former is supported since PHP4, and is even enabled by default. Neither of those extensions are enabled in PHP5 by default, but both are available in it. The MySQL classes (and thus - the OOP part of MySQL) is only available in the MySQLi extension. The MySQLi extension though is not that much supported in hosts. That is, they rarely enable it, and even more rarely do they allow you to enable it yourself. The MySQL extension is usually the extension of choise with hosts, as they've known it since PHP4, and they just "trust" it.Anyhow, unless the host allows you to view their phpinfo(), you can only guess what extensions they have enabled. And whether or not they allow you to enable extensions yourself - they should say. Link to comment Share on other sites More sharing options...
kishou Posted January 15, 2008 Author Share Posted January 15, 2008 ok i've been reading about XSS and SQL injection and i dont get how you would get the passwords ad usernames cause u need to use the GET method instead of POST and im using POST. Link to comment Share on other sites More sharing options...
zppblood Posted January 15, 2008 Share Posted January 15, 2008 ok i've been reading about XSS and SQL injection and i dont get how you would get the passwords ad usernames cause u need to use the GET method instead of POST and im using POST.XSS is using the client side to attack like JavaScript, VBScript, Flash, ActiveX, etc.Lets say that you are going to make a simple login page without using mysql_real_escape_string().We could use this SQL code to select the username from the users table"SELECT * FROM users_table WHERE username='".$_POST['username']."' AND password='".$_POST['password'].'"or"SELECT * FROM users_table WHERE username='$username' AND password='$password"When using " (double quotes) with PHP, it converts the variable to it's value (same with $_POST['username/password']) when it sends it to MySQL.The hacker can enter their own SQL code by entering something like the admin account and ' OR '1'='1 in the password field. The SQL code would then be"SELECT * FROM users_table WHERE username='admin' AND password='' OR '1'='1'"As you can see, username to select is admin and password is blank (which is never the case with logging in accounts) OR 1=1 (which is always true). Link to comment Share on other sites More sharing options...
justsomeguy Posted January 15, 2008 Share Posted January 15, 2008 ok i've been reading about XSS and SQL injection and i dont get how you would get the passwords ad usernames cause u need to use the GET method instead of POST and im using POST.POST doesn't protect from anything, if you have the right tools it's just as easy to send a POST request as it is a GET request. It just so happens that most of the examples use GET requests because they're easier to write out. Link to comment Share on other sites More sharing options...
Synook Posted January 16, 2008 Share Posted January 16, 2008 i dont get how you would get the passwords ad usernamesRemember, the data still has to be transferred over the internet, and a hacker could "listen" to the data coming through the network and pick up the username and password as they are transferred. Link to comment Share on other sites More sharing options...
justsomeguy Posted January 16, 2008 Share Posted January 16, 2008 Also, FYI: ;. used to end that function/line (kindof).$. money symbol. no it doesnt represent money it represents a string and almost everything in PHP is a string.A semicolon is used to terminate a statement. The dollar sign does not represent a string, it starts a variable name. It's not true to say "almost everything in PHP is a string", most of what you work with are resources, arrays, and objects, not scalar data like strings. Link to comment Share on other sites More sharing options...
kishou Posted January 26, 2008 Author Share Posted January 26, 2008 updated! so now no one can sql inject or spam. Link to comment Share on other sites More sharing options...
kishou Posted January 27, 2008 Author Share Posted January 27, 2008 also if the example doesnt work its proly because im experimenting with sha1. Link to comment Share on other sites More sharing options...
kishou Posted January 27, 2008 Author Share Posted January 27, 2008 ok for the hashing change this part in register.phpchange this: mysql_select_db("aaabatt_mainwebsite", $con); //we select our database again. and you hsould switch aaabatt_website with the name of your database.$usernamemy = mysql_real_escape_string($_POST['Username']);$passwordmy = mysql_real_escape_string($_POST["Password"]);$emailmy = mysql_real_escape_string($_POST['Email']); to this mysql_select_db("aaabatt_mainwebsite", $con); //we select our database again. and you hsould switch kishou_website with the name of your database.$usernamemy = mysql_real_escape_string($_POST['Username']);$passwordsql = sha1($_POST['Password']);$passwordmy = mysql_real_escape_string($passwordsql);$emailmy = mysql_real_escape_string($_POST['Email']); also change this part in the login.php from this: mysql_select_db("aaabatt_mainwebsite", $con);$username = mysql_real_escape_string($_POST['username']); //so someone cant sql inject.$password = mysql_real_escape_string($_POST['password']); to this: mysql_select_db("aaabatt_mainwebsite", $con);$username = mysql_real_escape_string($_POST['username']); //so someone cant sql inject.$passwordsql = sha1($_POST['password']);$password = mysql_real_escape_string($passwordsql); Link to comment Share on other sites More sharing options...
boen_robot Posted January 27, 2008 Share Posted January 27, 2008 You should swap the hashing and MySQL escaping i.e. sha1() first, then mysql_real_escape_string(). A hash may accidently do something to the database (intentionally, never), and don't forget to hash the password at user's registration too. Otherwise, you can't compare it at login.BTW, has anyone thought of using Zend Framework yet, 'cause as far as I can see, things are heading at that direction. Link to comment Share on other sites More sharing options...
kishou Posted January 27, 2008 Author Share Posted January 27, 2008 You should swap the hashing and MySQL escaping i.e. sha1() first, then mysql_real_escape_string(). A hash may accidently do something to the database (intentionally, never), and don't forget to hash the password at user's registration too. Otherwise, you can't compare it at login.BTW, has anyone thought of using Zend Framework yet, 'cause as far as I can see, things are heading at that direction.kk fixed that. thx Link to comment Share on other sites More sharing options...
justsomeguy Posted January 28, 2008 Share Posted January 28, 2008 You actually don't need to escape a SHA-1 hash anyway, a hash will only have hex digits in it, it won't have any quotes or anything that might cause an issue in SQL. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.