Simple PHP login Script

iDeviseFlash · 07-06-2004, 01:47 PM

Ok, i haev basically copied and pasted an email to someone, cause lots of people seem to want this. here it is:

I dont recomend using this for extremely important info, but it works fine for most things.
Ok, im gonna go through this piece by piece, so bear with me.
Here is your html file:
<HTML>
<HEAD>
<TITLE>index</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
</HEAD>
<BODY LEFTMARGIN=0 TOPMARGIN=0 MARGINWIDTH=0 MARGINHEIGHT=0>
<form method="POST" action="login.php">
<div align="left"><p> </p>
<p> <input type="text" name="user" size="14">Username
</p>
<p> <input type="password" name="pw" size="14">Password
</p>
<p> <input name="submit" type="submit" value="Submit">
</p>
</div></form>
</BODY>
</HTML>
This simply has two input boxes, one for the username, one for the password, and a submit button. The instance names for the boxes are "user" and "pw". These are important. Now, for the PHP script. We will call it login.php, because in the html form, we told the page to go there. We start of by listing the Users and passwords;
????: NamePros.com http://www.namepros.com/programming/37568-simple-php-login-script.html
????: NamePros.com http://www.namepros.com/showthread.php?t=37568
<?
$adminuser = "admin";
$testuser = "test";
$adminpass = "admin";
$testpass= "fubar";
This sets the variable adminuser equal to admin, and the same for test. The second lines set the variables adminpass and testpass equal to there values. For each user you get, you will have to go in here and type in a variable for there username and password. This seems tedious, but it really is not. Now for the next part, the real meat of the code, where it checks to see if your username/password combo works.

if ($user == $adminuser&&$pw == $adminpass || $user == $testuser&&$pw == $testpass)
{
print("Welcome to the administration area!");
}
else
{
print("Wrong password");
}
?>
The first line is an IF statement. It mean, if this is true, do this. So, it checks to see of the text entered in the user and password boxes match.

$user == $adminuser&&$pw == $adminpass
this checks if the text is equal to the admin user and pass that you set. the && means and in PHP, so both of those have to be true. the next part:
|| $user == $mehuluser&&$pw == $mehul)
says OR this. the || means OR in php. So it says, if the text entered is equal to this or this, then they are a user. This method is not susceptable to SQL injection, which is a very nice way to hack a login system. ok, this part:
{
print("Welcome to the administration area!");
}
tells the script that if they are a user and there password is OK, then print this line.
this:
else
{
print("Wrong password");
}
?>
says that if the user/pass combo doesnt work, print that line, and then it ends. This is your very basic login script. Now say you want to redirect to another page. That is easy, you simply replace
print("Welcome to the administration area!");
with
header( "Location: http://www.yoursite.com/yourpage.htm" );
This redirects them to that page. Make two pages, one with the content they are allowed to get to if they are a use, and another, that says like sorry, your either screwed up and are an idiot,

, or you dont have permission to get here.
Here a complete login script with redirection. I havent been able to hack it yet, and I am in the top like 2% at hackthissite.org so, i think its pretty safe.
<?
$adminuser = "admin";
$mehuluser = "mehul";
$adminpass = "admin";
$mehulpass = "fubar";
if ($user == $adminuser&&$pw == $adminpass || $user == $mehuluser&&$pw == $mehulpass)
{
header( "Location: http://www.yoursite.com/secure.html" );
}
else
{
header( "Location: http://www.yoursite.com/incoorect.html" );

}
?>
They both have to be in the same directory, because of the links.
Ok, hope you understand it, contact me if you dont \/ \/ \/ \/
A NP donation would be realy nice, but you dont have to, just something to say thanks i guess.
Josh

whyme953 · 07-06-2004, 02:20 PM

what prevents somebody from just typing in the url "http://www.yoursite.com/secure.html"
without going through the login page?

(this is probably a very stupid question as i have not yet read anything about securing pages)

iDeviseFlash · 07-06-2004, 02:23 PM

lol, question. how are they gonna find out that is the page

i told you, i tried to hack this, lol.

and just for you, ill add a boolean flag that says if its false, they cant get there

dpk87 · 07-06-2004, 03:54 PM

"what prevents somebody from just typing in the url "http://www.yoursite.com/secure.html"
without going through the login page?"

With something like that people could EASILY find there way in.

iDeviseFlash · 07-06-2004, 03:57 PM

really? would you like to say how? and i said that you shouldnt use this for any extremely valuable stuff, so..

whyme953 · 07-06-2004, 08:20 PM

obviously i was using that particular url as an example, i just used the one that ideviseflash used.

as i said i know absolutely nothing about how to secure pages at this point, but i assume there is a way to keep people from accessing pages without loging in. (maybe by only giving access if you are redirected from the login page? assuming you could determine that. maybe this is what he meant with the boolean flag?)

cutterofcloth · 07-06-2004, 08:58 PM

y no cookies?

iDeviseFlash · 07-07-2004, 07:34 AM

dont need them, lol. I told you all it was simple, but due to popular demanm

, im working on a secure script, with boolean flags and cookies. Check for it soon!

AndrewZ · 07-07-2004, 08:39 AM

Quote:

Originally posted by iDeviseFlash
????: NamePros.com http://www.namepros.com/showthread.php?t=37568
really? would you like to say how? and i said that you shouldnt use this for any extremely valuable stuff, so..

Heres a simple one!

If your site is indexed in google then site:yoursite.com

iDeviseFlash · 07-07-2004, 08:52 AM

??? what if i shadow the file, what now

TWM · 07-07-2004, 09:08 AM

hahaha... id keep ALL the comments coming at flash, because before you know it he has developted the most securem login there is....

then we can all try to break in !

iDeviseFlash · 07-07-2004, 09:11 AM

lol, its not the MOST secure, but im making one that you all can try and hack, and im gonna give a generous NP to the person that can. look for it in the contest forums!

flexiwebhost.com · 07-07-2004, 01:33 PM

If you were going to use a script like this and have several users etc then a problem with this script is that they could easily pass the details around not realising they have full access to the area.

This type of login should only be used for information you really dont mind people getting hold of and just wish to stop the casual surfer as to be honest thats all it will stop (and even some of them will come across it accidentally)

iDeviseFlash · 07-07-2004, 03:42 PM

umm, ok. I dont know people that give out there usrers and pass's, but you might.

will7 · 07-07-2004, 04:32 PM

Yay! Let's all have a hacking contest. You should make it all secure, then have like 4 - 6 weeks to hack it. First person that does it wins a number of NPs based on how hard it was to hack (in the coder's opinion).

That would be pretty cool. Ofcourse, I'd have no chance, I can't hack to save a blind man from walking of a cliff

iDeviseFlash · 07-07-2004, 04:39 PM

i am

But dude, in 4-6 weeks, i could hack say, whitehouse.gov? lol, no, im talking you got hours. I could be running scans and see if anyone is doing anything they arent meant to

Ok, the first annual WDT/NP Hacking contest starts now. Im gonna make the script then get back to yall!

Peter · 07-08-2004, 10:01 AM

Quote:

Originally posted by iDeviseFlash
umm, ok. I dont know people that give out there usrers and pass's, but you might.

they wouldnt need to because the page they get sent to does not check they are registered just the page that forwards them.

Many people send people URL's to take a look at and dont realise they can give access to sensitive areas.

iDeviseFlash · 07-08-2004, 10:01 AM

ya, but as i have said, what if i shadow the redirect page or put a boolean flag on it?

07-06-2004, 01:47 PM	THREAD STARTER #1 (permalink)
iDeviseFlash Senior Member Join Date: Jun 2004 Posts: 1,030	Simple PHP login Script Ok, i haev basically copied and pasted an email to someone, cause lots of people seem to want this. here it is: I dont recomend using this for extremely important info, but it works fine for most things. Ok, im gonna go through this piece by piece, so bear with me. Here is your html file: <HTML> <HEAD> <TITLE>index</TITLE> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> </HEAD> <BODY LEFTMARGIN=0 TOPMARGIN=0 MARGINWIDTH=0 MARGINHEIGHT=0> <form method="POST" action="login.php"> <div align="left"><p> </p> <p> <input type="text" name="user" size="14">Username </p> <p> <input type="password" name="pw" size="14">Password </p> <p> <input name="submit" type="submit" value="Submit"> </p> </div></form> </BODY> </HTML> This simply has two input boxes, one for the username, one for the password, and a submit button. The instance names for the boxes are "user" and "pw". These are important. Now, for the PHP script. We will call it login.php, because in the html form, we told the page to go there. We start of by listing the Users and passwords; ????: NamePros.com http://www.namepros.com/programming/37568-simple-php-login-script.html ????: NamePros.com http://www.namepros.com/showthread.php?t=37568 <? $adminuser = "admin"; $testuser = "test"; $adminpass = "admin"; $testpass= "fubar"; This sets the variable adminuser equal to admin, and the same for test. The second lines set the variables adminpass and testpass equal to there values. For each user you get, you will have to go in here and type in a variable for there username and password. This seems tedious, but it really is not. Now for the next part, the real meat of the code, where it checks to see if your username/password combo works. if ($user == $adminuser&&$pw == $adminpass \|\| $user == $testuser&&$pw == $testpass) { print("Welcome to the administration area!"); } else { print("Wrong password"); } ?> The first line is an IF statement. It mean, if this is true, do this. So, it checks to see of the text entered in the user and password boxes match. $user == $adminuser&&$pw == $adminpass this checks if the text is equal to the admin user and pass that you set. the && means and in PHP, so both of those have to be true. the next part: \|\| $user == $mehuluser&&$pw == $mehul) says OR this. the \|\| means OR in php. So it says, if the text entered is equal to this or this, then they are a user. This method is not susceptable to SQL injection, which is a very nice way to hack a login system. ok, this part: { print("Welcome to the administration area!"); } tells the script that if they are a user and there password is OK, then print this line. this: else { print("Wrong password"); } ?> says that if the user/pass combo doesnt work, print that line, and then it ends. This is your very basic login script. Now say you want to redirect to another page. That is easy, you simply replace print("Welcome to the administration area!"); with header( "Location: http://www.yoursite.com/yourpage.htm" ); This redirects them to that page. Make two pages, one with the content they are allowed to get to if they are a use, and another, that says like sorry, your either screwed up and are an idiot, , or you dont have permission to get here. Here a complete login script with redirection. I havent been able to hack it yet, and I am in the top like 2% at hackthissite.org so, i think its pretty safe. <? $adminuser = "admin"; $mehuluser = "mehul"; $adminpass = "admin"; $mehulpass = "fubar"; if ($user == $adminuser&&$pw == $adminpass \|\| $user == $mehuluser&&$pw == $mehulpass) { header( "Location: http://www.yoursite.com/secure.html" ); } else { header( "Location: http://www.yoursite.com/incoorect.html" ); } ?> They both have to be in the same directory, because of the links. Ok, hope you understand it, contact me if you dont \/ \/ \/ \/ A NP donation would be realy nice, but you dont have to, just something to say thanks i guess. Josh __________________ ~~ SIG FOR SALE ~~ Click here... Last edited by iDeviseFlash; 07-06-2004 at 03:57 PM.

07-06-2004, 02:20 PM	#2 (permalink)
whyme953 NamePros Member Join Date: Jun 2004 Posts: 92	what prevents somebody from just typing in the url "http://www.yoursite.com/secure.html" without going through the login page? (this is probably a very stupid question as i have not yet read anything about securing pages) __________________ Bais Menachem

07-06-2004, 02:23 PM	THREAD STARTER #3 (permalink)
iDeviseFlash Senior Member Join Date: Jun 2004 Posts: 1,030	lol, question. how are they gonna find out that is the page i told you, i tried to hack this, lol. and just for you, ill add a boolean flag that says if its false, they cant get there __________________ ~~ SIG FOR SALE ~~ Click here...

07-06-2004, 03:54 PM	#4 (permalink)
dpk87 NamePros Regular Join Date: Jun 2003 Posts: 792	"what prevents somebody from just typing in the url "http://www.yoursite.com/secure.html" without going through the login page?" With something like that people could EASILY find there way in. __________________ Candy Bar Store

07-06-2004, 03:57 PM	THREAD STARTER #5 (permalink)
iDeviseFlash Senior Member Join Date: Jun 2004 Posts: 1,030	really? would you like to say how? and i said that you shouldnt use this for any extremely valuable stuff, so.. __________________ ~~ SIG FOR SALE ~~ Click here...

07-06-2004, 08:20 PM	#6 (permalink)
whyme953 NamePros Member Join Date: Jun 2004 Posts: 92	obviously i was using that particular url as an example, i just used the one that ideviseflash used. as i said i know absolutely nothing about how to secure pages at this point, but i assume there is a way to keep people from accessing pages without loging in. (maybe by only giving access if you are redirected from the login page? assuming you could determine that. maybe this is what he meant with the boolean flag?) __________________ Bais Menachem

07-06-2004, 08:58 PM	#7 (permalink)
cutterofcloth NamePros Member Join Date: Jul 2004 Location: Clackamas, OR Posts: 75	y no cookies? __________________ http://www.johnkerry.com/onlinehq/ Help anyway you can! http://therustybarrel.com/david/blog - My Blog http://therustybarrel.com/david/images/sig.jpg - My signature

07-07-2004, 07:34 AM	THREAD STARTER #8 (permalink)
iDeviseFlash Senior Member Join Date: Jun 2004 Posts: 1,030	dont need them, lol. I told you all it was simple, but due to popular demanm , im working on a secure script, with boolean flags and cookies. Check for it soon! __________________ ~~ SIG FOR SALE ~~ Click here...

07-07-2004, 08:52 AM	THREAD STARTER #10 (permalink)
iDeviseFlash Senior Member Join Date: Jun 2004 Posts: 1,030	??? what if i shadow the file, what now __________________ ~~ SIG FOR SALE ~~ Click here...

07-07-2004, 09:08 AM	#11 (permalink)
TWM Web Marketing Specialist Join Date: Oct 2003 Location: Texas, USA Posts: 1,335	hahaha... id keep ALL the comments coming at flash, because before you know it he has developted the most securem login there is.... then we can all try to break in ! __________________ TargetedWebMarketing.com : Web Marketing Plans - Search Engine Optimization - Online Promotion coraltanks.com l Corporate Quarters

07-07-2004, 09:11 AM	THREAD STARTER #12 (permalink)
iDeviseFlash Senior Member Join Date: Jun 2004 Posts: 1,030	lol, its not the MOST secure, but im making one that you all can try and hack, and im gonna give a generous NP to the person that can. look for it in the contest forums! __________________ ~~ SIG FOR SALE ~~ Click here...

07-07-2004, 01:33 PM	#13 (permalink)
flexiwebhost.com NamePros Regular Join Date: Jun 2004 Location: Ekenas Posts: 271	If you were going to use a script like this and have several users etc then a problem with this script is that they could easily pass the details around not realising they have full access to the area. This type of login should only be used for information you really dont mind people getting hold of and just wish to stop the casual surfer as to be honest thats all it will stop (and even some of them will come across it accidentally) __________________ Flexi Web Host buy Advertising On Forum Hosts Free phpBB forum hosting Free Image Host

07-07-2004, 03:42 PM	THREAD STARTER #14 (permalink)
iDeviseFlash Senior Member Join Date: Jun 2004 Posts: 1,030	umm, ok. I dont know people that give out there usrers and pass's, but you might. __________________ ~~ SIG FOR SALE ~~ Click here...

07-07-2004, 04:32 PM	#15 (permalink)
will7 Senior Member Join Date: Jun 2004 Location: United Kingdom Posts: 2,694	Yay! Let's all have a hacking contest. You should make it all secure, then have like 4 - 6 weeks to hack it. First person that does it wins a number of NPs based on how hard it was to hack (in the coder's opinion). That would be pretty cool. Ofcourse, I'd have no chance, I can't hack to save a blind man from walking of a cliff __________________ Will Narburgh \| Graphic design \| Twitter \| Email me

07-07-2004, 04:39 PM	THREAD STARTER #16 (permalink)
iDeviseFlash Senior Member Join Date: Jun 2004 Posts: 1,030	i am But dude, in 4-6 weeks, i could hack say, whitehouse.gov? lol, no, im talking you got hours. I could be running scans and see if anyone is doing anything they arent meant to Ok, the first annual WDT/NP Hacking contest starts now. Im gonna make the script then get back to yall! __________________ ~~ SIG FOR SALE ~~ Click here...

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

07-08-2004, 10:01 AM	THREAD STARTER #18 (permalink)
iDeviseFlash Senior Member Join Date: Jun 2004 Posts: 1,030	ya, but as i have said, what if i shadow the redirect page or put a boolean flag on it? __________________ ~~ SIG FOR SALE ~~ Click here...