Главная » Языки программирования

Sign Up

На чтение 13 мин
Содержание
  1. Simple single-file PHP login system
  2. login.php :
  3. OtherFiles.php :
  4. 2 Answers 2
  5. Tutorial to create a login system using HTML, PHP, and MySQL
  6. Table of Contents
  7. 1) Building a Signup system
  8. Step 1: Creating Registration Form in HTML
  9. Step 2: Creating the MySQL Database Table
  10. Step 3: Creating Database Configuration File
  11. Step 4: Creating a Session File
  12. Step 5: Create Registration Form in PHP
  13. 2) Building a Login System
  14. Step 1: Creating a Login Form in HTML
  15. Step 2: Creating a Login System in PHP
  16. 3) Creating a Welcome Page
  17. 4) The Logout script
  18. Conclusion

Simple single-file PHP login system

This is something that I initially came up with to protect a bunch of scripts on my personal webserver, but am now planning on using with a few public projects too.

login.php :

 $password = '8f434346648f6b96df89dda901c5176b10a6d83961dd3c1ac88b59b2dc327aa4'; if(empty($_SESSION["loggedIn"])) < if(isset($_POST["password"]))< if(hash('sha256', $_POST['password'])===$password)< session_regenerate_id(true); $_SESSION["loggedIn"]=true; >else< echo "Incorrect password! 
"; > > > if($_SESSION["loggedIn"] == true) < print ' You are logged in!
Logout '; > else< print ' 
Login
 
Password:  
 
 '; > ?>

OtherFiles.php :

Yes, I know, sha-256 hashes aren’t recommended for password storage, but that’s only for testing, when deployed it’ll be using proper salting for password storage. What I need feedback on is the login script itself.

\$\begingroup\$ Not a review but == loosely comparison can become quite dangerous when working with hashes it is better to use strict comparison === . See whitehatsec.com/blog/magic-hashes \$\endgroup\$

2 Answers 2

session_start(); being set and called on a per-script basis is a poor approach. Prone to problems like forgetting to set it, setting it more than once when there are multiple layers of files being included() .

The «system» should have services (and other «things» that are re-used) invoked before it gets to things such as login.php .

Though this is more a limitation of writing procedural code and not using modular setup with OOP etc.

You should choose a standard, like PSR2 that is more globally recognised. Consistency is absolute key, but the standards such as PSR2 are quite logical in their decisions and makes for better readability.

Why is » login.php » handling «logout»?
Even using procedural (instead of nice classes) doesn’t mean you wont benefit from things like SRP.

You should have a «logout.php» file and «login.php» file.

Though, you should use classes really. You say you’re going to use this in some public projects, but you have no namespaces so would possibly have name clashes with others’ code. And people don’t want to require() your file they want to inject it in an OOP fashion.

You have no namespaces, so this is all in global namespace. Any other file in that name space (probably all of your other code) has potential for naming clashes. Which not only potentially causes issues, but ones that can be very hard to find and debug.

This seems very prone to things going wrong — 404 and possible other issues.

header('Location: '. $_SERVER['SCRIPT_NAME']);

I’d consider a good resource handler, but again this would really need classes otherwise you’re going to be stuck including things.

As with all of your code (missing some kind of nice coding standard), this can be simplified and tidied to be more readable:

if(empty($_SESSION["loggedIn"])) < if(isset($_POST["password"]))< if(hash('sha256', $_POST['password'])===$password)< session_regenerate_id(true); $_SESSION["loggedIn"]=true; >else< echo "Incorrect password! 
"; > > > 
if ( empty($_SESSION["loggedIn"]) && isset($_POST["password"]) && hash('sha256', $_POST['password']) === $password ) < session_regenerate_id(true); $_SESSION["loggedIn"] = true; >else < echo "Incorrect password! 
"; > >

Yes, I know, sha-256 hashes aren’t recommended for password storage, but that’s only for testing, when deployed it’ll be using proper salting for password storage

Calling a variable that stores the username $get_da_user_name_like is «not recommended». Using SHA-256 or similar is not «not recommended» it’s entirely insecure.

Читайте также:  Java parse xml string to java object

Also, this approach means that once you’re done writing your code and have it all tested, you’ll. start writing your code and start testing again to add this other thing. Or won’t because something else will be needed.

Honestly, this is a pointless thing to «put off» — it’s 2 single PHP functions, built in.

// Store this in the DB $hashed_password = password_hash($password); // Check their login pass with the one stored in the DB if (password_verify($passwordFromLoginForm, $passwordFromDb))

Using a loose comparison == instead of strict === means this will be "true" for many values (almost everything, basically barring a few values it'll just be set and so true). It might not matter but is usually better to be strict in these matters. Even if not for security and just for clear intent.

Echoing out in a PHP file is not ideal. Even with procedural (no classes) treat PHP files as "controllers" that do the system things, and "view" files that output.

It's an old approach but set a variable to the desired output, then at the end call a new file (e.g. loginView.php ) and have that display the HTML/CSS and data from the controller ( login.php ).

Then you can also call this file early and exit, eg when there are errors.

I will just presume this is for testing purposes:

$password = '8f434346648f6b96df89dda901c5176b10a6d83961dd3c1ac88b59b2dc327aa4';

I said it before but honestly, switch to using classes. Writing procedural code seems easier on face value, but in the long run it will without doubt cost you more time, headaches, bugs, and limitations.

Источник

Tutorial to create a login system using HTML, PHP, and MySQL

This is a tutorial for creating a login system with the help of HTML, PHP, and MySQL. Your website needs to be dynamic and your visitors need to have instant access to it. Therefore, they want to log in as many times as possible. The login authentication system is very common for any web application. It allows registered users to access the website and members-only features. It is also helpful when we want to store information for users. It covers everything from shopping sites, educational sites, and membership sites, etc.

This tutorial is covered in 4 parts.

Table of Contents

1) Building a Signup system

In this part, We will create a signup system that allows users to create a new account to the system. Our first step is to create a HTML registration form. The form is pretty simple to create. It only asks for a name, email, password, and confirm password. Email addresses will be unique for every user. Multiple accounts for the same email address are not allowed. It will show an error message to the users who try to create multiple accounts with the same email address.

Step 1: Creating Registration Form in HTML

We will create a PHP file named register.php with the following code in it. This is a simple HTML form with some basic validation. If you are not familiar with HTML then you can get it from many online sites who give ready-made html5 login form templates.

       
 
 
Register
 
Please fill this form to create an account.
 
 
 
 
 
 
 
Already have an account? Login here.

The output of the above HTML form will look like this.

Sign Up

All the input fields are required by adding the "required" attribute which is the default HTML attribute. The use of type="email" will validate the email address provided by users and gives an error if the email address is not valid. For the registration form, we have used bootstrap for rapid development. If you want to save your time on HTML code you can always use some free html5 templates for your project.

Step 2: Creating the MySQL Database Table

You will need to create a new database with any suitable name you want. After that please execute the below SQL query to create the user's table inside your newly created MySQL database. 

CREATE TABLE `users` ( `id` int(11) unsigned NOT NULL AUTO_INCREMENT, `name` varchar(75) NOT NULL, `password` varchar(255) NOT NULL, `email` varchar(100) NOT NULL, PRIMARY KEY (`id`), UNIQUE KEY `email` (`email`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci AUTO_INCREMENT=1;

Step 3: Creating Database Configuration File

Now, we have created the users table. Let's create a new PHP file named config.php to connect with the MySQL database. Paste the following code in the config.php file and change the database name to whatever you choose while creating the database.

Step 4: Creating a Session File

Let's create a file named session.php. In this file, we will start the session and check if a user is already logged in, if yes then we will redirect the user to welcome.php file.

Step 5: Create Registration Form in PHP

Finally, it's time to create a PHP code that allows users to register their accounts into the system. This PHP code will alert users with an error if any user is already registered with the same email address.

Replace the following code in the register.php file.

prepare("SELECT * FROM users WHERE email = ?")) < $error = ''; // Bind parameters (s = string, i = int, b = blob, etc), in our case the username is a string so we use "s" $query->bind_param('s', $email); $query->execute(); // Store the result so we can check if the account exists in the database. $query->store_result(); if ($query->num_rows > 0) < $error .= '
The email address is already registered!
'; > else < // Validate password if (strlen($password ) < 6) < $error .= '
Password must have atleast 6 characters.
'; > // Validate confirm password if (empty($confirm_password)) < $error .= '
Please enter confirm password.
'; > else < if (empty($error) && ($password != $confirm_password)) < $error .= '
Password did not match.
'; > > if (empty($error) ) < $insertQuery = $db->prepare("INSERT INTO users (name, email, password) VALUES (?, ?, ?);"); $insertQuery->bind_param("sss", $fullname, $email, $password_hash); $result = $insertQuery->execute(); if ($result) < $error .= '
Your registration was successful!
'; > else < $error .= '
Something went wrong!
'; > > > > $query->close(); $insertQuery->close(); // Close DB connection mysqli_close($db); > ?>       
 
 
Register
 
Please fill this form to create an account.
   
 
 
 
 
 
 
Already have an account? Login here.

Once user click on submit button it will check if $_SERVER["REQUEST_METHOD"] == "POST" and $_POST['submit'] variable has been set. For security concerns, we always suggest not to store the password as plain text in the database. We have used password_hash() function which creates a new password hash using a strong one-way hashing algorithm.

The above PHP script will validate that no user is registered with the same email address and also validate password. After validation is confirmed we store the user-provided information in the users' table and alert the user that registration was successful.

2) Building a Login System

In this part, we will create a login form to allow users to access the restricted area of the system. In our case, the restricted area is a welcome page which we will cover in the next part.

Step 1: Creating a Login Form in HTML

Below is the Login Form in HTML. Paste it in a file named login.php

       
 
 
Login
 
Please fill in your email and password.
 
 
 
 
 
Don't have an account? Register here.

The output of the above code will look like this

Login

Step 2: Creating a Login System in PHP

After creating the login form in HTML, we will write a code to validate login credentials. On form submit we will check that the email and password are filled. If they filled then we will execute a SELECT query to find the record in a database on the basis of email and password. If any record found, then we will store the "userID" in session and the user is redirected to the welcome.php file, otherwise, the user is alerted with an error message.

Let's replace the following code in the login.php file.

Please enter email.
'; > // validate if password is empty if (empty($password)) < $error .= '
Please enter your password.
'; > if (empty($error)) < if($query = $db->prepare("SELECT * FROM users WHERE email = ?")) < $query->bind_param('s', $email); $query->execute(); $row = $query->fetch(); if ($row) < if (password_verify($password, $row['password'])) < $_SESSION["userid"] = $row['id']; $_SESSION["user"] = $row; // Redirect the user to welcome page header("location: welcome.php"); exit; >else < $error .= '
The password is not valid.
'; > > else < $error .= '
No User exist with that email address.
'; > > $query->close(); > // Close connection mysqli_close($db); > ?>       
 
 
Login
 
Please fill in your email and password.
  
 
 
 
 
Don't have an account? Register here.

3) Creating a Welcome Page

Below is the code for the welcome.php file. Users will be redirected to this page after a successful login process. We have added some code at the top of the page to check if the user is not logged in, then redirect the user to the login page.

Let's create a welcome.php file and paste the following code in it.

 ?>    Welcome   
 
 
Hello, . Welcome to demo site.
 
 
Log Out

4) The Logout script

Finally, Let's create a logout.php file with the following code in it.

Once the user clicks on the Log Out link, the above script, will be called to destroy the session and redirect user to the login.php file.

Conclusion

In this tutorial, I explained how you can create a Login System using HTML, PHP and MySQL. Once you understand how simple it is to create a login system you can add other features like reset password, forgot password, verify email address, edit user's profile, etc.

Источник

Оцените статью
© 2023 Программирование