1. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by Dragonstar89
    How can I accomplish these things in PHP?
    Create your own thread and give us concrete information: What have you tried so far? What's your code? What's the result?
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  2. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2013
    Posts
    6
    Rep Power
    0

    reply


    Originally Posted by Jacques1
    Create your own thread and give us concrete information: What have you tried so far? What's your code? What's the result?
    I've tried several different ways. The first was a PHP if statement to see if there was no session, basically something like this:

    PHP Code:
    <?php if(empty($_SESSION['user'])){ ?>
        //the html code for the login form
    <?php }?>
    Originally, instead of having it use the ending code bracket, I used endif; but no matter what, the login form continued to show. Even if there was a session. I also use the include(""); function in PHP to include a header, the guest header is header.html and I want logged in users to be able to see user_header.html which has links to their account, but I can't do that either because it falls around the lines of the login form problem.

    I feel like it's something about not storing or receiving the SESSION correctly, but I wouldn't no where to go with it because I'm just getting around to knowing PHP.

    ~Jake
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    I suggested to create your own thread. I don't see the point of making this mega thread even longer with a general question only loosely connected to the project. Anyway, maybe a moderator will clean this up afterwards.

    As to the question:

    The session check itself is correct -- assuming the user ID is in fact stored in $_SESSION['user'].

    So the problem must be somewhere else. The first (and most obvious step) would be to actually check the content of $_SESSION:

    PHP Code:
    <?php

    var_dump
    ($_SESSION);
    What does it say?

    The next step would be to create a minimal example to narrow down the problem: Make a script which only prints different strings depending on the login status:

    PHP Code:
    <?php

    session_start
    ();


    if(empty(
    $_SESSION['user']))    // not logged in
    {
        echo 
    'Not logged in.';
    }
    else
    {
        echo 
    'Logged in.';
    }
    Use this for testing.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2013
    Posts
    3
    Rep Power
    0
    Originally Posted by Jacques1
    I suggested to create your own thread. I don't see the point of making this mega thread even longer with a general question only loosely connected to the project. Anyway, maybe a moderator will clean this up afterwards.

    As to the question:

    The session check itself is correct -- assuming the user ID is in fact stored in $_SESSION['user'].
    This is a bump, and I hate to bump a thread, however I followed the tutorial, and I don't get any errors, however when I login to my login page, I get..

    Notice: Undefined index: username in C:\wamp\www\index.php on line 22
    Notice: Undefined index: username in C:\wamp\www\index.php on line 73
    Here is my code..
    PHP Code:
    <?php
        
    require("includes/common.php"); 
        
    $submitted_username ''

        if(!empty(
    $_POST)) 
        { 

            
    $query 
                SELECT 
                    id, 
                    username, 
                    password, 
                    salt, 
                    email 
                FROM users 
                WHERE 
                    username = :username 
            "

             

            
    $query_params = array( 
                
    ':username' => $_POST['username'
            ); 
             
            try 
            { 

                
    $stmt $db->prepare($query); 
                
    $result $stmt->execute($query_params); 
            } 
            catch(
    PDOException $ex
            { 

                die(
    "Failed to run query: " $ex->getMessage()); 
            } 

            
    $login_ok false
             
            
    $row $stmt->fetch(); 
            if(
    $row
            { 

                
    $check_password hash('sha256'$_POST['password'] . $row['salt']); 
                for(
    $round 0$round 65536$round++) 
                { 
                    
    $check_password hash('sha256'$check_password $row['salt']); 
                } 
                 
                if(
    $check_password === $row['password']) 
                { 

                    
    $login_ok true
                } 
            } 

            if(
    $login_ok
            { 

                unset(
    $row['salt']); 
                unset(
    $row['password']); 

                
    $_SESSION['user'] = $row
                 

                
    header("Location: welcome.php"); 
                die(
    "Redirecting to: private.php"); 
            } 
            else 
            { 

                print(
    "Login Failed."); 

                
    $submitted_username htmlentities($_POST['username'], ENT_QUOTES'UTF-8'); 
            } 
        }
    ?>
    Thanks for any help...
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    whatever your form field for the user name is called, it's not called "username". That's why you're getting the error.

    Double check the field name. And check the POST parameters with

    PHP Code:
    var_dump($_POST); 
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  6. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2013
    Posts
    3
    Rep Power
    0
    Originally Posted by Jacques1
    Hi,

    whatever your form field for the user name is called, it's not called "username". That's why you're getting the error.

    Double check the field name. And check the POST parameters with

    PHP Code:
    var_dump($_POST); 
    That was my issue - thanks so much!
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2013
    Posts
    6
    Rep Power
    0

    Thanks


    Originally Posted by Jacques1
    I suggested to create your own thread. I don't see the point of making this mega thread even longer with a general question only loosely connected to the project. Anyway, maybe a moderator will clean this up afterwards.

    As to the question:

    The session check itself is correct -- assuming the user ID is in fact stored in $_SESSION['user'].

    So the problem must be somewhere else. The first (and most obvious step) would be to actually check the content of $_SESSION:

    PHP Code:
    <?php

    var_dump
    ($_SESSION);
    What does it say?

    The next step would be to create a minimal example to narrow down the problem: Make a script which only prints different strings depending on the login status:

    PHP Code:
    <?php

    session_start
    ();


    if(empty(
    $_SESSION['user']))    // not logged in
    {
        echo 
    'Not logged in.';
    }
    else
    {
        echo 
    'Logged in.';
    }
    Use this for testing.
    Sorry to bump this anymore, but I found out my problem. I hadn't attached a simple session_start(); before my <!DOCTYPE. Now the login form hides when there's a user logged in.

    Thanks for your help.
  8. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2013
    Location
    S. Texas
    Posts
    8
    Rep Power
    0
    I'm renewing my interest in PHP for personal/hobby usage after 9+ years of retirement!

    Would it be practical for someone (i.e. "derplumo" or "jacques1") to forward or post a copy of the "final version" of files that accrued with the 300+ posts in this thread (How to program a basic but secure login system using PHP and MySQL)?

    I'm so new that I'm not allowed to send PM but with my user name in the Google mail, anything should hit my inbox without a problem.

    Many thanks in advance.
    Dave Nuttall
    San Antonio, TX
  9. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    447
    Rep Power
    8
    Sure,

    Please see post #296

    Maybe it is better if I create a new thread or if E-Oreo edits the first post, a lot of people ask for it and I could imagine it is quite confusing if you see all those scripts.

    I will post a new version with all the files (I had a small problem regarding a simple url or something like that).

    I hope you'll find it useful.
  10. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2013
    Location
    S. Texas
    Posts
    8
    Rep Power
    0
    Originally Posted by derplumo
    Sure,

    Maybe it is better if I create a new thread or if E-Oreo edits the first post, a lot of people ask for it and I could imagine it is quite confusing if you see all those scripts.

    I will post a new version with all the files (I had a small problem regarding a simple url or something like that).

    I hope you'll find it useful.
    I started a thread "requesting" in the Beginner Programming sector.

    This place is so huge it's hard to go anywhere but "in the beginning"!

    Many thanks again.
    Dave
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2013
    Posts
    1
    Rep Power
    0
    Originally Posted by Jacques1
    Hi,

    simply store the current timestamp on each request, either in the session itself or in the database (in case you also need it elsewhere). Each time you resume the session, check the timestamp and see if it's outside your time limit. If it is, destroy the session.

    PHP Code:
    <?php

    define
    ('SESSION_TIMEOUT'60);        // in minutes; this should be in some global configuration file

    function session_timed_out() {
        return isset(
    $_SESSION['last_activity']) && time() >= $_SESSION['last_activity'] + SESSION_TIMEOUT 60;
    }

    function 
    logout() {
        if (
    session_id()) {
            
    // clear $_SESSION array
            
    $_SESSION = array();
            
    // delete session file
            
    session_destroy();
            
    // delete session cookie
            
    if (ini_get('session.use_cookies')) {
                
    $session_cookie_params session_get_cookie_params();
                
    setcookie(
                    
    session_name(), ''time() - 24 60 60
                    
    $session_cookie_params['path'], $session_cookie_params['domain'],
                    
    $session_cookie_params['secure'], $session_cookie_params['httponly']
                );
            }
        }
    }
        

    session_start();

    // check timeout
    if (session_timed_out()) {
        echo 
    'the session has timed out!';
        
    logout();
    } else {
        
    $_SESSION['last_activity'] = time();
    }


    hi I'm super new to php and love this lesson , not many coders comment so much so it very easy to understand

    i would like to have the above feature , the only thing is I'm not sure where to place it , i have tried over and over again with no joy

    do i place it in common.php or part of it ? ,
    if someone could take a look i'd be very greatful
  12. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2013
    Posts
    2
    Rep Power
    0

    how to login with that code?


    Hi how we can improve a login from that code? i was trying with the login.php but says me password incorrect, ty for help

    Originally Posted by Karl-Uwe Frank
    I must say it's quite a remarkable piece of software you're offering here. So no more excuses for storing un-salted password hashes.


    I would suggest just a tiny but important improvement.

    Code:
    $salt = hash('sha256', $salt); // result to be stored in the database
    
    $hash = hash('sha256', $_POST['password'] . $salt);
    
    for ($i=0; $i<16384; i++){
       $hash = hash('sha256', $hash . $salt); 
    }
    
    $password = $hash
    Perhaps you might be interested in reading PBKDF2 (Password-Based Key Derivation Function 2) and Storing passwords in uncrackable form

    .
    .
  13. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Guys, if you want help, create your own thread and write down a concrete error description after you've done some basic debugging yourself.

    I don't think anybody is willing to speculate about two problems at the same time, making this monster thread even longer.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  14. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2013
    Posts
    2
    Rep Power
    0

    Exclamation reply


    I wrote here because this piece of code Was posted in this thread, but if you are offended by that, I can leave the forum anytime.

    Originally Posted by Jacques1
    Guys, if you want help, create your own thread and write down a concrete error description after you've done some basic debugging yourself.

    I don't think anybody is willing to speculate about two problems at the same time, making this monster thread even longer.
  15. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    I'm not offended. I just think there's a smarter way of asking that question.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo