Junior Coders
password security
I'm making a php form in which people who update the database on my website can use to add information. However, I wanted to somehow password protect the form so not just anyone could add stuff to the database.
Is that the best way to secure the form? If so how do I do that?
Regular Coders
I would say the best way if you are using an SQL database is to create another table called "users" or something and put all the people you want to have access in there. Then have a log in that checks to see if the data entered in a form is the same as that in the database. If so, log them in. You can also encrypt the password, the most common way is the use of md5($passwordhere). It takes the password entered and turns it into a hash so it is a lot more secure. If you need the code on how to do this, let me know and I will get it to you when I have the time, right now I have to be going.
Thanks DD, you saved me countless times
Junior Coders
Yeah I'd rather not get into the whole user thing. Just a shared password I can give to everyone who is going to edit the content. If you can give me that code, that would be amazing!
Regular Coders
Ok, here is the code. Every user can have the same name and pass or seperate ones, its up to you. This does use a username and pass, but its really no extra work to use a username too, and it is more secure.You will have to add your database connection info for it to work. Also note that near the end, replace the "YOUR ADMIN HOME.php" with the filename of you control panel. You will need to add this table to your database:PHP Code:<?php
// If form submitted
if ($_POST['login']) {
$user = $_POST['username'];
// Turn password into hash
$pass = md5($_POST['password']);
// Chech for user
$qry = mysql_query("SELECT * FROM `users` WHERE username = '$username'") or die ('Error Getting User! <br />' .mysql_error());
$u = mysql_fetch_array($qry);
$chk = mysql_num_rows($qry);
// See if useraname exists
if ($chk < 1) {
echo '<meta http-equiv="refresh" content="2;URL='.$_SERVER['PHP_SELF'].'" />
<span style="color: #FF0000"><b>Invalid Username!</b></span>';
}
// Check password
elseif ($pass !== $u['password']) {
echo '<meta http-equiv="refresh" content="2;URL='.$_SERVER['PHP_SELF'].'" />
<span style="color: #FF0000"><b>Invalid Password!</b></span>';
}
// If username and pass match database, set sessions
elseif ($pass == $u['password']) {
// Set username, password, and ip sessions
@session_start();
$_SESSION['user'] = $user;
$_SESSION['pass'] = $pass;
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
echo '<meta http-equiv="refresh" content="2;URL=YOUR ADMIN HOME.php" />
<b>You are now logged in!</b>';
}
}
// If form not submitted
if (!$_POST['login']) {
?>
<!-- Login Form -->
<form method="post" action="">
<table width="232">
<tr>
<td width="75"><b>Username:</b></td>
<td width="145"><input type="text" name="username" /></td>
</tr>
<tr>
<td><b>Password:</b></td>
<td><input type="password" name="password" /></td>
</tr>
<tr>
<td colspan="2" align="right"><input type="submit" name="login" value="Login" /></td>
</tr>
</table>
</form>
<!-- /Login Form -->
<?
}When you insert your users, be sure that when you set the password, it is using md5($password); because the password in the database must be stored as a hash for the submitted password to match it. Add this code to the top of your protected pages:Code:CREATE TABLE `users` ( `id` int(5) NOT NULL auto_increment, `username` varchar(32) NOT NULL, `password` varchar(32) NOT NULL, PRIMARY KEY (`id`) ) TYPE=MyISAM;I didn't test it because I am on my way out for work, but it should work. If there are any issues, just let me know and I will check it out when I get the change. Hope this helpsPHP Code:<?php
if(empty($_SESSION['user']) || empty($_SESSION['pass']) || $_SESSION[['ip'] !== $_SERVER['REMOTE_ADDR']) {
header("Location: login.php");
}
?>
Last edited by Titan85; 03-23-2007 at 08:27 PM.
Thanks DD, you saved me countless times
Junior Coders
I don't really understand that partbe sure that when you set the password, it is using md5($password)
Regular Coders
When you insert the password that you want to use for all the users, put md5() around it. Say the password is test, do this:Originally Posted by llorax
md5 makes the password into a hash. In the login script, we check for a matching hash of the password they entered. Because we are not simply checking for the word "test", but the hash of test (something like: "098f6bcd4621d373cade4e832627b4f6"), we need to be sure that when the original password is set, we put it into the sql database as a hash. Then the script checks for a matching hash. It is easy for a hacker to figure out "test", mainly when using cookies, but its hard for them to figure out "098f6bcd4621d373cade4e832627b4f6". Hope this helpsPHP Code:$pass = 'test';
$password = md5($pass);
Thanks DD, you saved me countless times
Junior Coders
do i define the passwords in the actual php document or only in the table?
Regular Coders
You only define the password when inserting them into the table. Here is what you can do to insert the password:Hope that helpsPHP Code:<?php
$username = 'your username';
$pass = 'your password';
$password = md5($pass);
$insert = mysql_query("INSERT INTO `users` (id, username, password) VALUES ('', '$username', '$password')") or die ('Error inserting data! <br />' .mysql_error());
echo 'User created successfully';
?>
Thanks DD, you saved me countless times
Junior Coders
Sorry Im still trying to figure this all out. This is all still a little new and confusing for me. So just to clarify:
In that part of the login form, you leave it saying 'username' and do not put the information into the quotes, correct?<?php
// If form submitted
if ($_POST['login']) {
$user = $_POST['username'];
// Turn password into hash
$pass = md5($_POST['password']);
Regular Coders
Correct, the $_POST['username']; gets the value entered into the username field of the form, same with the password.
Thanks DD, you saved me countless times
Posting Permissions
Reply With Quote
Bookmarks