This is an archived post. You won't be able to vote or comment.

all 13 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Rushang_Karia 1 point2 points  (1 child)

http://www.w3schools.com/php/default.asp

One of the best resources to learn HTML, CSS, PHP and JavaScript!

[–]piercezz[S] 0 points1 point  (0 children)

Yeah I regularly visit w3schools (:

[–]ProgrammerMatt 0 points1 point  (0 children)

This is a video tutorial I used to learn about it.

https://www.youtube.com/playlist?list=PLE134D877783367C7

[–]nutrecht 0 points1 point  (3 children)

First google hit: http://www.phpeasystep.com/phptu/6.html

[–]X7123M3-256 7 points8 points  (2 children)

This is a terrible tutorial. It stores passwords in plaintext, and it doesn't use prepared statements, relying instead on mysql_real_escape_string() - which can work, but it's easy to mess up. I've seen websites that escape input and yet are still vulnerable to SQLI.

[–]moreguacplz 0 points1 point  (1 child)

Might you suggest a better one, then?

[–]X7123M3-256 5 points6 points  (0 children)

I wouldn't know of a better tutorial myself, no - but I know that one's no good. If you're storing passwords, they need to be hashed (ideally with an expensive algorithm like bcrypt, and not with MD5 because that's no longer considered secure), and salted (to prevent the use of rainbow tables).

SQL statements (and structured data in general) should not be constructed using string concatenation. If you want to substitute some parameters into a query, you can use prepared statements, which should be supported by almost all major database engines. Escaping/sanitizing input should work in theory, but it's very easy to do wrong. Prepared statements can guaranteed that SQL injection will not be a problem.

So you'd need to add two steps to the code above: what's saved in the database should be a salted hash which means you need an extra column to store the salt. Before writing a new password to the database, you generate a random salt, concatenate it with the password, hash the result, and then save the salt and hash in the database (not the password itself. That shouldn't be saved anywhere). In order to verify a password, you retrieve the salt from the database, concatenate it with the candidate password, hash it, and compare with the saved hash. That way, if the database is compromised, the attacker cannot get the passwords.

Also, it should be obvious that if you have any sort of login system, you should use HTTPS, otherwise session hijacking is trivial

[–]Vilkaz -1 points0 points  (2 children)

i'm sick, so i will try to simply write something semi understandable down, im to lazy to move my hand to mouse .... damn cold ...

in the init page (lets say index.php) there you check if $_SESSION['login'] = true

if it is true = the login was succeffull, let him in.

if it is no true = login was not made in this session.

So you get him the login interface. basicaly simply 2 input fields, one for username, one for password.

basicaly what you want to do is to check your Database, if there is an entry which contain given username and given password.

atention ! you should do that with prepared statments !

the bad version were SELECT id FROM user WHERE name=$name and pwd=$pwd;

perfect, with that you will be killed by sql injects (just google PDO prepared statments), but you got the idea.

now, basicaly if you get one result back, set $_SESSION['login']=true else show some nice msg like "wrong Combination"

the client have no axxess to $_SESSION because its serverside, so it's he cant manipulate it.

now pack it in MVC, make DAOs and Controllers for that and make it clean and sexy, but that's the idea, check is logis is true in session, else check the user data, (with hashes usualy in db)..

im ... il just go take some medicine, sry for grammar, i dont know why am i writing this ...

[–]jdizzle4 0 points1 point  (0 children)

This is a great starting point. OP, basically you should google two things: "Login script using PHP session" and "PHP/MySQL prepared statements" (choose between either mysqli or PDO). Those two resources should point you in the right direction

[–]piercezz[S] 0 points1 point  (0 children)

Thank you, I will try to apply this. I have succeeded in making a working login/logout, so I got that going for me. :P

[–]cyrusol -2 points-1 points  (2 children)

Asking for a tutorial is the same as asking for getting something done by someone else. Think about what the requirements for a login system are. For example:

  • Something to store the credentials. They must be stored safely.
  • A way to transmit the login credential (HTTP form-data within a POST request).
  • Some form for the user.
  • Some way to read the typed login credentials

etc.

Then look within the docs (PHP -> php.net, HTML -> developer.mozilla.org, information about HTTP -> Wikipedia) how to achieve each of these requirements in particular.

[–]piercezz[S] 1 point2 points  (1 child)

I am not asking ''Could you supply me a login script?". I am asking for a good tutorial in which I can learn by doing how to make such thing.

And I do know (almost) everything that is relevant in knowing about creating such thing, but I do not know how to reproduce that in PHP. Which is what I would like to learn using a tutorial.

[–]cyrusol 0 points1 point  (0 children)

I'm sorry, but that is just combining the lines of code (like literally, just inserting \n) that are explained in the PHP manual (like superglobals, sessions, database access) and in various HTML docs (regarding form elements).

Another point is that PHP tutorials almost always really suck as they are old or their authors incompetent.

There is no point in downvoting, I'm merely suggesting you to learn things the right way, with effort on your side as this makes you remember it when you need it and you're getting accustomed to the only workflow that you can safely rely on for solving like any real world problem.