Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.


Welcome to KnowledgeSutra - Dear Guest , Please Register here to get Your own website. - Ask a Question / Express Opinion / Reply w/o Sign-Up!

4

Simple Php Login And Registration System

Started by MiniK, Oct 21 2007 12:15 AM

Prev

25 replies to this topic

#21 Guest_eVAPor9_*

Guests

Posted 25 April 2011 - 09:24 PM

iGuest, on 13 November 2009 - 12:27 PM, said:

really InsecureSimple Php Login And Registration SystemThis script is more then insecure.Read something about sql-injections and xss-attacks.You should never ever use a $_Post variable directly in a sql query without checking the variable for sql-commands. http://en.Wikipedia.Org/wiki/SQL_injection-reply by illmat

Indeed. The vars need to be sanitised before ANY processing is done.

' Or 1 = 1 --

etc...

It's OK as a simple beginner's guide to programming but should NEVER be used as any security system EVER.

#22 Jez

Newbie [Level 1]

Kontributors
12 posts

Gender:Male
Location:North Yorkshire, UK
Interests:Semantic web, Web Technologies, Principles covering software development.

Application based programming, software and database design, freelance tutoring (taught 3 people so far in programming).

Posted 03 June 2011 - 09:29 AM

Quote

Replace DB_HOST with the host of your database. This is usually “localhost”, but some hosts differ

They only differ if the mysql server is on a seperate node to the php parser.

As the HTTP server won't have a clue about what to do with MySQL connections, it's left up to PHP.

You could replace in that instance say mysqluser@192.168.0.1 say if the mysql host is on a seperate computer this time 192.168.0.1.

Or if you're like me and have a FQDN working on a local network, then you'd use something along the lines of databasehost.mydomain.com

Or incase of MySQL mysqluser@mysql.mydomain.com, but you would need to allow for 3306 (which allot of hosting plans block anyways), I could open it up on my own server but prefer not to!

Just thought I would give you a heads up on the comparison to the localhost var in the mysql_connect, quite essentially it's just where the mysql server is located compared to the PHP parser.

Quote

$inf = "SELECT * FROM `comments` WHERE page = '".stripslashes($_SERVER['REQUEST_URI'])."' ORDER BY time ASC";

You do not need to escape out of parsing with PHP at all, all you'd need to do on occasion is use mysql_real_escape_string($foo);

This puts in what you want, also what you put in your logic is making your code (if you're opening it up to the public, if not then ignore this), your actually opening up your code for SQL injection attacks.

When a hacker gets into your text boxes or creates some form of XSS attack (cross site scripting), and inject code into your variables potentially wiping your database off completely, reading data from it, that they should not be doing.

mysql_real_escape_string() sends the variable in as a piece of text not a command like escaping out of parsing in PHP alone will make you prone to XSS attacks and not using mysql_real_escape_string leaves you open to SQL injection attacks.

Just thought I would give you a word of warning.

Very good tutorial though, but I would never use it for a productional system, you might want for instance to start thinking about using MySQL based sessions, trying to work out a set of logic for saving instead of filesystem based sessions, using MySQL saved sessions, so instead of a file the row in the database is the session and does go no where near the file system.

It's a good idea when one uses hosting based solutions, they want to keep track of users actions or maybe even have a cluster of mysql servers.

Edited by Jez, 03 June 2011 - 09:44 AM.

#23 Guest_Confused User_*

Guests

Posted 18 June 2011 - 09:57 AM

I get this error on registering:

Parse error: syntax error, unexpected '>' in /home/www/cwcity/hosting/s/t/stylerzz-css/htdocs/login/register.php on line 13

I changed nothing, just the tablenames, and i dont have any idea..

Please help me guys.

#24 Guest_Gopher_*

Guests

Posted 23 October 2011 - 01:26 PM

karlosvalencia, on 05 January 2008 - 01:35 PM, said:

Hello,

I'm new to PHP myself and have what I hope is a basic question. I'd like to have password protected pages on my site. Simple have no more than 10 pages, each one with its own password. Is this doable with PHP, do I need MySQL installed for that?

Furthermore, if I see a server like the one provided by trap17.com how can I install my PHP script on it?

You don't need MySQL. You just need this code:

<?php
if(isset($_POST[submit])){
if($_POST['password'] == "password"){ //replace "password" (no quotes) with the password you want.
echo "$display_page";
} else {
unset $_POST['submit'];
echo "Wrong password! <a href=\"#\">Try again</a>.";
}
} else {
echo "$enter_pass";
}
?>
<?php
$enter_pass="
<html>
<body
<form method="POST" action="#">
<h1>This page is password protected.</h1>
<p>Password: <input type="password" name="password"><br />
<input type="submit" name="submit" value="submit"></p>
</form>
</body>
</html>";
$display_page="
//enter page content here
"
?>

I just made that in 5 minutes off the top of my head.
It's probebly wrong. I didn't test it. Anyway,
you will have to change some things like the
password and the content. You can save the page
as whatever you like. I hope you understand it.

#25 Guest_MikdadALi_*

Guests

Posted 18 November 2011 - 07:48 AM

Hello Sir,

Can I run this two file in one page.cause i want output in same page.pls help me sir.

#26 Guest_Cesc Kadar_*

Guests

Posted 21 February 2012 - 08:55 PM

Hello Guys I need help about login.................. when the username writes the password without entering the username it works and I don't know why?

for examples

username:
password: 1234 (which stored the database)

when the username clicks submit it works without username

Help me please

Prev

Back to Tutorials · Next Unread Topic →

Reply to this topic

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users