PHP: Login FdSc Module 109 Server side scripting and Database design

Slides:



Advertisements
Similar presentations
PHP SQL. Connection code:- mysql_connect("server", "username", "password"); Connect to the Database Server with the authorised user and password. Eg $connect.
Advertisements

NMED 3850 A Advanced Online Design February 25, 2010 V. Mahadevan.
Faculty of Sciences and Social Sciences HOPE User Sessions & The Include Statement Stewart Blakeway FML 213
PHP Scripts HTML Forms Two-tier Software Architecture PHP Tools.
15. User Authentication, Form Validation, Paging. M. Udin Harun Al Rasyid, S.Kom, Ph.D
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
Website Security ISYS 475. Authentication Authentication is the process that determines the identity of a user.
Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.
INTERNET APPLICATION DEVELOPMENT For More visit:
CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.
Create an online booking system (login/registration)
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
PHP Tutorial - Anas Jaghoub Chapter 2 Control Structures.
1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.
PHP and MySQL for Client-Server Database Interaction Chapter 10.
© 2003 By Default! A Free sample background from Slide 1 Week 2  Free PHP Hosting Setup  PHP Backend  Backend Security 
SHOPPING CARTS CHAPTER 19. E-COMMERCE Typically, an e-commerce site will have public pages and admin pages.
SEU On-line Sales System Mark Davis Senior BS in Computer Science.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
Introduction to MySQL Lab no. 10 Advance Database Management System.
Week seven CIT 354 Internet II. 2 Objectives Database_Driven User Authentication Using Cookies Session Basics Summary Homework and Project 2.
INTERNET APPLICATION DEVELOPMENT Practical on Sessions.
1. Connecting database from PHP 2. Sending query 3. Fetching data 4. Persistent connections 5. Best practices.
Lecture 8 – Cookies & Sessions SFDV3011 – Advanced Web Development 1.
Nic Shulver, Introduction to Sessions in PHP Sessions What is a session? Example Software Software Organisation The login HTML.
Chapter 6: Authentications. Training Course, CS, NCTU 2 Overview  Getting Username and Password  Verifying Username and Password  Keeping The Verification.
Cookies & Session Web Technology
Web Scripting [PHP] CIS166AE Wednesdays 6:00pm – 9:50pm Rob Loy.
CSC 2720 Building Web Applications Server-side Scripting with PHP.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting PHP & MySQL.
Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.
ITM © Port, Kazman1 ITM 352 More on Forms Processing.
Controlling Web Site Access Using Logins CS 320. Basic Approach HTML form a php page that collects the username and password  Sends them to second PHP.
Sessions and Cookies State Management, Cookies, Sessions, Hidden Fields SoftUni Team Technical Trainers Software University
>> PHP: Insert Query & Form Processing. Insert Query Step 1: Define Form Variables Step 2: Make DB Connection Step 3: Error Handling Step 4: Define the.
Creating a simple database This shows you how to set up a database using PHPMyAdmin (installed with WAMP)
SESSIONS 27/2/12 Lecture 8. ? Operator Similar to the if statement but returns a value derived from one of two expressions by a colon. Syntax: (expression)
ITM © Port,Kazman 1 ITM 352 Cookies. ITM © Port,Kazman 2 Problem… r How do you identify a particular user when they visit your site (or any.
1 PHP HTTP After this lecture, you should be able to know: How to create and process web forms with HTML and PHP. How to create and process web forms with.
1 CS428 Web Engineering Lecture 22 Building Dynamic Web pages (PHP - V)
Unit-6 Handling Sessions and Cookies. Concept of Session Session values are store in server side not in user’s machine. A session is available as long.
LOGIN FORMS.
PHP and MySQL Session 4: Advanced PHP Izzy
© Copyright 2012 Hidaya Trust (Pakistan) ● A Non-Profit Organization ● / www,histpk.org Hidaya Institute of Science & Technology
Tried my best to simplify it for you!
CIS 388 Internet Programming
CHAPTER 5 SERVER SIDE SCRIPTING
Storing Images Connect to the server using the correct username and password. $conn = mysql_connect(“yourserver”, “joeuser”, “yourpass”); Create the database.
Chapter 19 PHP Part III Credits: Parts of the slides are based on slides created by textbook authors, P.J. Deitel and H. M. Deitel by Prentice Hall ©
Web Design and Development
ITM 352 Cookies.
Web Programming Language
>> PHP: Form Processing
PHP Overview PHP: Hypertext Preprocessor Server-Side Scripting
MySQL tutorial.
PHP and MySQL.
ISC440: Web Programming 2 Server-side Scripting PHP 3
Login & administration page
PHP: Security issues FdSc Module 109 Server side scripting and
<?php require("header.htm"); ?>
CIS 388 Internet Programming
Software Engineering for Internet Applications
PHP: Combo box FdSc Module 109 Server side scripting and
Web Programming Language
Cookies and sessions Saturday, February 23, 2019Saturday, February 23,
PHP: Database connection
MySQL Web Application Connecting to a MySQL database
Web Programming Language
PHP Programming Using Cloud 9 IDE.
Presentation transcript:

PHP: Login FdSc Module 109 Server side scripting and Database design 2011

Example We will create a login page that asks the user to enter a username and password. If the credentials entered by the user match those hard-coded into the script, a session variable called login will be set to "OK", and the user will be directed to the protected page. The protected page will check login is "OK", If it is not OK, the user is redirected to the login screen.

PHP Sessions A session is the time spent by a user browsing a particular website. When a session is created, a unique Session ID is set up for the user that is subsequently made available to each page the user visits. The Session ID is stored in a PHP system variable called PHPSESSID. This allows information to be shared across pages (it can also be stored in cookies)

Uses When a user starts a shopping cart the items added to the cart could be contained in session data In our case we will use session data to say if a user is logged in and able to view protected pages

Session initiation <?php   session_start(); ?> The session_start() function checks for an existing session. If one is not found, it creates a new session and gives it a Session ID.

Storing a simple counter value Session information stored in session variables using the $_SESSION array. A simple counter variable is created for the session and is set to 1 <?php session_start(); $_SESSION['count'] = 1; ?>

session01.php <?php   session_start();   $_SESSION['count'] = 1; ?> <html>   <head>     <title>Some web page</title>   </head>   <body>     <?php       $_SESSION['count'] = 1;       echo "Counter value = ".$_SESSION['count'];     ?>   </body> </html>

Checking if a session exists To check whether a variable exists and has been assigned use the isset() function It returns true if the variable has been set (given a value) and false otherwise. We will use the isset() function to check whether the count variable exists and has been set. If it has, the code will increment the value of count. Else, the count variable will be created and set to 1.

session02.php <?php   session_start();   if(isset($_SESSION['count']))     $_SESSION['count'] = $_SESSION['count'] + 1;   else     $_SESSION['count'] = 1; ?> <html>   <head>     <title>Some web page</title>   </head>   <body>     <?php       echo "Counter value = ".$_SESSION['count'];     ?>   </body> </html>

Session checker The result is initially the same, but each time the page is refreshed the counter increases by one

Clearing a session Clear the contents of a particular session variable using the unset() function The following script will clear the count variable when it reaches 10 The page will then say the count does not have a value and then start again

session03.php <?php   session_start();   if(isset($_SESSION['count']))   {     $_SESSION['count'] = $_SESSION['count'] + 1;       if($_SESSION['count'] > 10)         unset($_SESSION['count']);   }   else     $_SESSION['count'] = 1; ?> <html>   <head>     <title>Some web page</title>   </head>   <body>     <?php       if(isset($_SESSION['count']))         echo "Counter value = ".$_SESSION['count'];       else         echo "The counter does not currently have a value!";     ?>   </body> </html>

Login For this example the user name and password will be stored in the script Later we will use multiple user names and passwords stored in a database table

Pages Login page: Protected page: establishes a session and asks the user to enter a username and password. if the credentials match, a session variable called login will be set to "OK", the user will be directed to: Protected page: checks $_SESSION value is "OK", if true the user is redirected to the login screen

login.php Displays a form to enter the user name and password If they match it calls protected.php If they are blank or don’t match, it calls itself

login.php (part 1) <?php $user = $_POST["username"]; $pass = $_POST["password"]; $validated = false; session_start(); if($user!=""&&$pass!="") { if($user=="jsmith"&&$pass=="letmein" ) $validated = true; if($validated) { $_SESSION['login'] = "OK"; $_SESSION['username'] = $user; $_SESSION['password'] = $pass; header('Location: protected.php'); } else $_SESSION['login'] = ""; echo "Invalid username or password."; else $_SESSION['login'] = ""; ?>

login.php (part 2) <html>   <body>     <h1>Login Page</h1>     <p>Please enter your username and password:</p>     <form action="login.php" method="post">       <table>         <tr>           <td align="right">Username: </td>           <td><input size=\"20\" type="text" size="20" maxlength="15" name="username"></td>         </tr>        >  <tr>           <td align="right">Password: </td>           <td><input size=\"20\" type="password" size="20" maxlength="15" name="password"></td>         </tr>         <tr>           <td> </td>           <td colspan="2" align="left"><input type="submit" value="Login"></td>         </tr>       </table>     </form>   </body> </html>

protected.php <?php session_start(); if($_SESSION['login'] != "OK") { header('Location: login.php'); exit(); } ?> <html> <head <title>Protected Web Page</title> </head> </html> <body> <h1>Protected Web Page</h1> <?php echo "<p>You have successfully logged in!</p>"; echo "<p>Your username is: "; echo $_SESSION['username']; echo "<br/>"; echo "Your password is: "; echo $_SESSION['password']; echo "</p>" ?> </body> </html>

Login result If the user name “jsmith” and password “letmein” are entered correctly, then the protected page is displayed If the protected page is accessed without being logged in, then the login page is displayed

Database login Create a password table CREATE TABLE user (   userID int not null auto_increment,   primary key(userID),   username varchar(20) not null,   password varchar(20) not null );

Create an admin user insert into user (username, password) values ("admin", "letmein");

Modify the login code Check with the database if the user and password are present $sql = "SELECT * FROM user WHERE username = '$user' AND password = '$pass'"; $rs = mysql_query($sql,$conn); $result = mysql_num_rows($rs); if ($result > 0) $validated = true;

modified login.php (part 1) <?php   $user = $_POST["username"];   $pass = $_POST["password"];   $validated = false;   session_start();   $_SESSION['login'] = "";   if($user!="" && $pass!="")   {     $conn = @mysql_connect ("ourhost", "studentnn", "password") or die ("Sorry - unable to connect to MySQL database.");     $rs = @mysql_select_db ("admin", $conn) or die ("error");     $sql = "SELECT * FROM user WHERE username = '$user' AND password = '$pass'";     $rs = mysql_query($sql,$conn);     $result = mysql_num_rows($rs);     if ($result > 0) $validated = true;     if($validated)  {       $_SESSION['login'] = "OK";       $_SESSION['username'] = $user;       $_SESSION['password'] = $pass;       header('Location: protected.php');     }     else     {       $_SESSION['login'] = "";       echo "Invalid username or password.";     }   }   else $_SESSION['login'] = ""; ?>

modified login.php (part 2) <html>   <body>     <h1>Login Page</h1>     <p>Please enter your username and password:</p>     <form action="login.php" method="post">       <table>         <tr>           <td align="right">Username: </td>           <td><input size=\"20\" type="text" size="20" maxlength="15" name="username"></td>         </tr> <tr>           <td align="right">Password: </td>           <td><input size=\"20\" type="password" size="20" maxlength="15" name="password"></td>         </tr>         <tr>           <td> </td>           <td colspan="2" align="left"><input type="submit" value="Login"></td>         </tr>       </table>     </form>   </body> </html>

Modify the protected page If the admin logs in, then allow them to create a new user if($_SESSION['username'] == 'admin')     {       echo "<p><a href='create_user.php'>Create a new user</a></p>";     }

Modified protected.php <?php session_start(); if($_SESSION['login'] != "OK") { header('Location: login.php'); exit(); } ?> <html> <head <title>Protected Web Page</title> </head> <body> <h1>Protected Web Page</h1> </html> <?php     echo "<p>You have successfully logged in!</p>";     echo "<p>Your username is: ";     cho $_SESSION['username'];     echo "<br/>";     echo "Your password is: ";     echo $_SESSION['password'];     echo "</p>";     if($_SESSION['username'] == 'admin')     {       echo "<p><a href='create_user.php'>Create a new user</a></p>";     }   ?> </body> </html>

Create a user This page is similar to the login page but entering the details creates a new entry in the table Save this as create_user.php

create_user.php <?php session_start(); if($_SESSION['login'] != "OK") { header('Location: login.php'); exit(); } ?> <html> <body> <h1>Create a new user</h1> <p>Please enter details for the new user:</p> <form action="insert_user.php" method="post">   <table>     <tr>       <td align="right">Username: </td>       <td><input size=\"20\" type="text" size="20" maxlength="15" name="new_username"></td>     </tr>     <tr>       <td align="right">Password: </td>       <td><input size=\"20\" type="password" size="20" maxlength="15" name="new_password"></td>     </tr>     <tr>       <td> </td>       <td colspan="2" align="left"><input type="submit" value="Create user"></td>     </tr>   </table> </form> </body> </html>

Insert user The create_user form calls insert_user The insert script has to: Insert the new user into the table Offer a choice of continuing the application or logging out

insert_user.php <html> <body> <h1>User Creation</h1> <?php   session_start();   if($_SESSION['login'] != "OK")   {     header('Location: login.php');     exit();   }            $new_user = $_POST["new_username"];   $new_pass = $_POST["new_password"];   $conn = @mysql_connect ("localhost", "root", "") or die ("Sorry - unable to connect to MySQL database.");   $rs = @mysql_select_db ("admin", $conn) or die ("error");   $sql = "INSERT INTO user (username, password) VALUES ('$new_user', '$new_pass')";   mysql_query($sql,$conn) or die ("User creation failed.");   echo "<p>User created successfully.</p>";   echo "<p>Return to <a href='protected.php'>application</a> or <a href='login.php'>log out</a></p>"; ?> </body> </html>

What is wrong? The security is appalling! We have stored the user names and passwords in clear text Investigate SHA

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.