#31
  1. No Profile Picture
    I haz teh codez!
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2003
    Posts
    2,540
    Rep Power
    2337
    You create a temporary key -- not a password -- which is valid for a limited amount of time and is part of a link you email to the user. When the user logs in using this link, you redirect them immediately to a "change password" page, where they enter the new password which is stored in the database (hashed, etc.). You can then either log the user out and make them log in again with the new password, or you can allow them to continue on into the site.
    I ♥ ManiacDan & requinix

    This is a sig, and not necessarily a comment on the OP:
    Please don't be a help vampire!
  2. #32
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    6
    Rep Power
    0
    Originally Posted by ptr2void
    You create a temporary key -- not a password -- which is valid for a limited amount of time and is part of a link you email to the user. When the user logs in using this link, you redirect them immediately to a "change password" page, where they enter the new password which is stored in the database (hashed, etc.). You can then either log the user out and make them log in again with the new password, or you can allow them to continue on into the site.
    Thanks alot, but wouldn't I have to make a 2nd password field in the database then?
  4. #33
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    3
    Rep Power
    0
    Im pretty sure you would at least have to have a column that would hold the temporary key. when the user types in their new password they would just be writing over the old password. it would somewhat work the same way the change password options works on the user edit page.


    Of course you could always write a script that would generate a randomly new password for the user, insert it over their old password, and email them the new temp password
  6. #34
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    6
    Rep Power
    0
    Originally Posted by martylavender
    Of course you could always write a script that would generate a randomly new password for the user, insert it over their old password, and email them the new temp password
    Thanks for the reply! But wouldn't that cause mayor lack of security?

    I mean, at some point I would have to make a variable containing the new password?
  8. #35
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    3
    Rep Power
    0
    i think either method will work. obviously having the temp password or random string expire after a certain amount of time is more secure as far as time is concerned
  10. #36
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    1
    Rep Power
    0
    First off, thanks for this tutorial, it's very helpful.

    I was just wondering how we secure the common.php file, since it has our db username and password. I've been looking around on the web and it seems like I should modify the .htaccess file, but how? Or is there some other way?
  12. #37
  13. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,301
    Rep Power
    7170
    I was just wondering how we secure the common.php file, since it has our db username and password. I've been looking around on the web and it seems like I should modify the .htaccess file, but how? Or is there some other way?
    It is not possible for visitors to access your PHP source code over HTTP unless your web server is configured to not execute PHP code (in that case, this tutorial wouldn't be very useful to you). It doesn't matter if they visit common.php, all they will see is a blank page.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  14. #38
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    3
    Rep Power
    0

    How can we change the username?


    Very very nice tutorial

    I have just one question.

    If the user wish to change hes username? How can he do it?

    Thanks for your work
  16. #39
  17. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,301
    Rep Power
    7170
    If you wished to allow the user to change their username it could be done by editing the edit_account.php page. It would be handled in much the same way as the email field, except the validation logic would be different. The validation logic for the username is demonstrated on the registration page.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  18. #40
  19. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    3
    Rep Power
    0
    Originally Posted by E-Oreo
    If you wished to allow the user to change their username it could be done by editing the edit_account.php page. It would be handled in much the same way as the email field, except the validation logic would be different. The validation logic for the username is demonstrated on the registration page.
    I'm new to php and I'm learning alone with books and tutorials, I also have read the php.net but I'm still confused.

    What am I doing wrong? When I change the Username, the name displayed is new, however, when I logout and try to login again, the message saying that the login failed. I have to enter the old username again, is not Updating the database for the new username.
    What am I doing wrong?

    PHP Code:
    <?php 

        
    // First we execute our common code to connection to the database and start the session 
        
    require("common.php"); 
          
        if(!empty(
    $_POST)) 
        { 

             if(
    $_POST['username'] != ['username']) 
            { 
                
    // Define our SQL query 
                
    $query 
                    SELECT 
                        1 
                    FROM admin 
                    WHERE 
                        username = :username 
                "

                 
                
    // Define our query parameter values 
            
    $query_params = array( 
                
    ':username' => $_POST['username'
                ); 
                 
                try 
                { 
                    
    // Execute the query 
                    
    $stmt $db->prepare($query); 
                    
    $result $stmt->execute($query_params); 
                } 
                catch(
    PDOException $ex
                { 
                      
                    die(
    "Failed to run query: " $ex->getMessage()); 
                } 
                 
                
    // Retrieve results (if any) 
                
    $row $stmt->fetch(); 
                if(
    $row
                { 
                    die(
    "This username is already in use."); 
                } 
            }

            
    // Make sure the user entered a valid E-Mail address 
            
    if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) 
            { 
                die(
    "Invalid E-Mail Address"); 
            } 
             
          
            if(
    $_POST['email'] != $_SESSION['user']['email']) 
            { 
                
    // Define our SQL query 
                
    $query 
                    SELECT 
                        1 
                    FROM admin 
                    WHERE 
                        email = :email 
                "

                 
                
    // Define our query parameter values 
                
    $query_params = array( 
                    
    ':email' => $_POST['email'
                ); 
                 
                try 
                { 
                    
    // Execute the query 
                    
    $stmt $db->prepare($query); 
                    
    $result $stmt->execute($query_params); 
                } 
                catch(
    PDOException $ex
                { 
                      
                    die(
    "Failed to run query: " $ex->getMessage()); 
                } 
                 
                
    // Retrieve results (if any) 
                
    $row $stmt->fetch(); 
                if(
    $row
                { 
                    die(
    "This E-Mail address is already in use"); 
                } 
            } 
             
             
            if(!empty(
    $_POST['password'])) 
            { 
                
    $salt dechex(mt_rand(02147483647)) . dechex(mt_rand(02147483647)); 
                
    $password hash('sha256'$_POST['password'] . $salt); 
                for(
    $round 0$round 65536$round++) 
                { 
                    
    $password hash('sha256'$password $salt); 
                } 
            } 
            else 
            { 
                
    // If the user did not enter a new password we will not update their old one. 
                
    $password null
                
    $salt null
            } 
         
    // Initial query parameter values
             
    $query_params = array( 
                
    ':username' => $_POST['username'], 
                
    ':user_id' => $_SESSION['user']['id'], 
            ); 
            
            
    $query_params = array( 
                
    ':email' => $_POST['email'], 
                
    ':user_id' => $_SESSION['user']['id'], 
            ); 
             
            
    // If the user is changing their password, then we need parameter values 
            // for the new password hash and salt too. 
            
    if($password !== null
            { 
                
    $query_params[':password'] = $password
                
    $query_params[':salt'] = $salt
            } 
             
            
    $query 
                UPDATE admin 
                SET 
                    username = :username 
            "

            
    $query 
                UPDATE admin 
                SET 
                    email = :email 
            "

             
            
            if(
    $password !== null
            { 
                
    $query .= 
                    , password = :password 
                    , salt = :salt 
                "

            } 
       
            
    $query .= 
                WHERE 
                    id = :user_id 
            "

             
            try 
            { 
                
    // Execute the query 
                
    $stmt $db->prepare($query); 
                
    $result $stmt->execute($query_params); 
            } 
            catch(
    PDOException $ex
            { 
                
    // Note: On a production website, you should not output $ex->getMessage(). 
                // It may provide an attacker with helpful information about your code.  
                
    die("Failed to run query: " $ex->getMessage()); 
            } 
             
            
    // Now that the user's E-Mail address has changed, the data stored in the $_SESSION 
            // array is stale; we need to update it so that it is accurate.
        
    $_SESSION['user']['username'] = $_POST['username'];
            
    $_SESSION['user']['email'] = $_POST['email']; 
             
            
    // This redirects the user back to the members-only page after they register 
            
    header("Location: private.php"); 
              
            die(
    "Redirecting to private.php"); 
        } 
         
    ?> 
    <h1>Edit Account</h1> 
    <form action="edit_account.php" method="post"> 
        Username:<br /> 
        <b><?php echo htmlentities($_SESSION['user']['username'], ENT_QUOTES'UTF-8'); ?></b> 
        <br /><br /> 
        username:<br /> 
        <input type="text" name="username" value="<?php echo htmlentities($_SESSION['user']['username'], ENT_QUOTES'UTF-8'); ?>" /> 
        <br /><br /> 
        E-Mail Address:<br /> 
        <input type="text" name="email" value="<?php echo htmlentities($_SESSION['user']['email'], ENT_QUOTES'UTF-8'); ?>" /> 
        <br /><br /> 
        Password:<br /> 
        <input type="password" name="password" value="" /><br /> 
        <i>(leave blank if you do not want to change your password)</i> 
        <br /><br /> 
        <input type="submit" value="Update Account" /> 
    </form>
  20. #41
  21. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    3
    Rep Power
    0
    E-Oreo thank you for your advice

    Ok I figured out where I was doing wrong. First, its wrong in this piece of code:

    PHP Code:
    if ($ _POST ['username']! = ['username']) 
    and thus should be this way

    PHP Code:
    if ($ _POST ['username']! = $ _SESSION ['user'] ['username']) 
    The second error was in $query_params

    PHP Code:
    query_params = array (
                 
    ': username' => $ _POST ['username'],
                 
    ': user_id' => $ _SESSION ['user'] ['id'],
             );
    query_params = array (
                 
    ': email' => $ _POST ['email'],
                 
    ': user_id' => $ _SESSION ['user'] ['id'],
             ); 
    when it should be done this way

    PHP Code:
    query_params = array (
                 
    ': username' => $ _POST ['username'],
                 
    ': email' => $ _POST ['email'],
                 
    ': user_id' => $ _SESSION ['user'] ['id'],
             ); 
    And finally, i included two querys

    PHP Code:
    query "
                 UPDATE admin
                 SET
                     email =: email
             "
    ;
    query "
                 UPDATE admin
                 SET
                     username =: username
             "

    Once again, it should have done this way

    PHP Code:
    query "
                 UPDATE admin
                 SET
                     username =: username,
                     email =: email
             "

    Now, the code is working as supposed, so far.

    If there's something you want to tell me, can you do it, because I'm still learning, I am a beginner in programming and i dont have no one to teach me in my studies, so all criticism and help or advice are very welcome.

    sorry for my bad english
    A big thank you to all of you
    Last edited by Hijack; November 4th, 2012 at 01:57 PM. Reason: Formating text and aply php tags to the code
  22. #42
  23. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    1
    Rep Power
    0
    hi im using your script to secure login. On localhost it works just perfect but when i upload it to a online server im having trouble with redirecting. it looks like header is causing some trouble.
    PHP Code:
    header("Location:index.php"); 
    do you have any suggestions how to fix that ?
  24. #43
  25. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    152
    Rep Power
    12

    how to have the new user details emailed to them


    Hi

    I love this tutorial and works perfect, just a couple of things

    Is it possible for the new users details to be sent to their email address after registering on the website

    Is it possible to add a forgot password link in somewhere, if so how do I do it

    Kind regards

    Ian
  26. #44
  27. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    1
    Rep Power
    0

    Cool specific users access specific pages?


    Hi Guys,

    If I wanted to have particular pages only be allowed access from specific users how would I do it? is it a matter of replacing 'user' with their username? Sorry, I am not an expert at php but really want to get into using it.

    Code:
    <?php 
    
        // First we execute our common code to connection to the database and start the session 
        require("common.php"); 
         
        // At the top of the page we check to see whether the user is logged in or not 
        if(empty($_SESSION['user'])) 
        { 
            // If they are not, we redirect them to the login page. 
            header("Location: login.php"); 
             
            // Remember that this die statement is absolutely critical.  Without it, 
            // people can view your members-only content without logging in. 
            die("Redirecting to login.php"); 
        } 
         
        // Everything below this point in the file is secured by the login system 
         
        // We can display the user's username to them by reading it from the session array.  Remember that because 
        // a username is user submitted content we must use htmlentities on it before displaying it to the user. 
    ?> 
    Hello <?php echo htmlentities($_SESSION['user']['username'], ENT_QUOTES, 'UTF-8'); ?>, secret content!<br /> 
    <a href="memberlist.php">Memberlist</a><br /> 
    <a href="edit_account.php">Edit Account</a><br /> 
    <a href="logout.php">Logout</a>
  28. #45
  29. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2013
    Posts
    1
    Rep Power
    0
    Originally Posted by joeyfm
    Hi Guys,

    If I wanted to have particular pages only be allowed access from specific users how would I do it? is it a matter of replacing 'user' with their username? Sorry, I am not an expert at php but really want to get into using it.

    Code:
    <?php 
    
        // First we execute our common code to connection to the database and start the session 
        require("common.php"); 
         
        // At the top of the page we check to see whether the user is logged in or not 
        if(empty($_SESSION['user'])) 
        { 
            // If they are not, we redirect them to the login page. 
            header("Location: login.php"); 
             
            // Remember that this die statement is absolutely critical.  Without it, 
            // people can view your members-only content without logging in. 
            die("Redirecting to login.php"); 
        } 
         
        // Everything below this point in the file is secured by the login system 
         
        // We can display the user's username to them by reading it from the session array.  Remember that because 
        // a username is user submitted content we must use htmlentities on it before displaying it to the user. 
    ?> 
    Hello <?php echo htmlentities($_SESSION['user']['username'], ENT_QUOTES, 'UTF-8'); ?>, secret content!<br /> 
    <a href="memberlist.php">Memberlist</a><br /> 
    <a href="edit_account.php">Edit Account</a><br /> 
    <a href="logout.php">Logout</a>
    Doing something like this enters a new can of worms. The basis of this login system could be built upon to make something like this, but I believe is beyond the scope of this post. It sounds like you want to build your own content management system.

IMN logo majestic logo threadwatch logo seochat tools logo