I am a noob at web programming. I am currently writing a test forum. People will be able to create accounts and then login. But my problem is I dont know how a login script works. So I came up with this idea:

1): 
    Every time an user creates an account I will write the user's name, email and password to a database file.
    Then when he tries to login he my php program will query the file line by line and see if there is a match.
    Once it has a match it will load the users profile page, the name of his page will be [name]+[email]+[password].html
    So that each file will be unique.

So will it work or is there a nother way, posibly better, more secure way?

Also (I am not sure if this is against daniweb rules, I couldnt find anything that said it was) but if anyone would like to work with me on this project please contact me by sending me a message through daniweb.

That will work, but how will you create each unique file? By hand or? ;)

Here's a quick setup on a basic login script:

  1. Create a database table containing user login data (user_id, username, password (encrypted if you wish!)).
  2. Create a login script, that matches the submitted login data against the data stored in your database.
  3. If the login is successful, you can redirect the user to his personal page, which could be unique_page.php?user_id=1. Also you could "remember" that he is logged in by setting a session value, so that the user won't have to login every time he loads a new page.
  4. On unique_page.php, you can check if a user_id has been given in the URL, and if it has, you can retrieve the user's data.
  5. Write a login checker on each page, which checks if the login is still valid.

Something like that. I think doing a quick Google search might help you out a lot :). Are you new to PHP?

Yes I am new to PHP. Got intrested in web dev a few weeks ago, did some html stuff before that. Recently I started a project of creating my own forums. Thought I could do everything in javascript then i found out js is a client side lang and I need to create files on my server, so I moved to PHP.

Ah great! Writing your own forum can be a challenging task, I'm sure you will learn much from it :). There are thousands of PHP tutorials on the internet, even on writing a login script/module etc., so I would really recommend you use Google a lot and ask questions if you get stuck on someting. The idea behind your login is good, although is is done differently in PHP. You don't have to generate unique pages for each user. You can just ask PHP, on one page that will then work for ALL your users: "Hey, what's the current user's ID?" and then ask your database "Give to me all the data you have on the user with this ID: x". And put that on the page. That's the beauty of it :).

adduser.php

First, generate a simple password like this

// simple six digit transfer code generation. Security requirement low
$len2 = 5;
$base2='ABCDEFGHJKMNPQRSTWXZabcdefghjkmnpqrstwxyz2345689';
$max2=strlen($base2)-1;
$password='';
mt_srand((double)microtime()*1000000);
while (strlen($password)<$len2+1)
$password.=$base2{mt_rand(0,$max2)};

You could use a simple form like this in the file

<form name = "member" action="adduser.php" method="post" >                    
<input name="given" type="text" value="<?php echo "$given"; ?>" />
<input name="userPwd" type="hidden" value="<?php echo "$password"; ?>" />
<input name="family" type="text" value="<?php echo "$family"; ?>" />
<input type="submit" name="Submit" value="Submit Form" />
</form >

to invite users to self register entering their given and family names in different text boxes. This will save you a great deal of entry work.

Next, you will have to filter the entry to prevent an injection attack and you will also probably need to process the input to standardise the entry of names to the database.
You could try something like this, which will modify the form entry data to produce a given name with the first letter in upper case and the remainder in lower case, and the family name all in upper case. The two modified entries are then joined to give a given and family name joined as a phrase.

// Filter the posted variables
$family = preg_replace("/[^A-Za-z0-9-]/", "", trim($_POST['family']));// filter everything but letters and numbers
$str = $family;
$family = strtoupper($str);//convert family name to upper case
$given = preg_replace("/[^A-Za-z0-9-]/", "", trim($_POST['given']));//filter given name/s
$given = ucwords($given);
$givfam = $given .' '. $family; //joining of given and family names
$password = $_POST['userPwd'];//generated user password posted through hidden field

The next problem you may incur is that of duplicate user names, such as having several John SMITH entries. The usual method of dealing with this is to add a number to each family name, such as John SMITH, John SMITH2, John SMITH3, etc.
The following code will search for the existing name $givfam in the database and if found will add the appropriate number $num to it based on a record count of the variable $num.

$result=mysql_query("SELECT MAX(num) AS maxnum FROM users WHERE userId LIKE '$givfam%'");
$row = mysql_fetch_array($result);
$num=$row[maxnum];
    if ($num != 0){
    $num = $num + 1;
    $givfam = $givfam.$num;
$sql = mysql_query("INSERT INTO users (givfam, num, family, given, userPwd) VALUES('$givfam', '$num', '$family', '$given', '$password'") or die (mysql_error());

So these snippets used together will do the following in this order.
1. Generate a password.
2. Collect given name and a family name in various case formats, as determined by the user entering their own names.
3. Sanitise the names to prevent injection attack.
4. Force the format of the given name.
Force the format of the family name.
5. Create a phrase describing the names combined.
6. Search for duplicate names and create a variable that describes the count of duplicates.
7. Insert all of the data into the database.

Hope this helps.

Sorry facaroll, even though you are saying some good stuff there, I think this is way too complicated for someone who is just starting with PHP. Nothing personal! I just think it takes some more time and explanation for a starting PHPer to even understand what you just said, let alone be able to use it.

Masterhacker, in case you need some more explanation: data escaping is done to prevent attacks on your website. For example if you do not check the value of a user-inputted variable, like a username, you might end up crying, for someone could then write 'username"'; // Wow I now have access to your PHP! Let's insert a virus. (Ok that's really simplified, but with the right characters, he would be able to gain access to your script and do harmfull stuff. If you want to learn more about this, search Google for: escaping user input, SQL injections, PHP security, that kind of stuff :).

Finally, you could consider not allowing duplicate usernames, so that you won't have to go over the trouble of appending numbers to family names, as facaroll proposed.

Thanks minitauros. That helped a lot.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.