PHP Login page and MySql

Sorry, this was intended to go under tutorials. Might have pushed the wrong button again.

Notify a moderator to make it a tutorial, you cannot do this yourself. You can use 'Flag bad post' to get attention from one.

This is not so much a tutorial as it is a snippet. So changed to snippet.

You can improve it adding a salt to your hashing password. Create salt.php:

<?php
define('SALT','secret string',true);
?>

Then create a directory where you save salt.php and where you also create an .htaccess file:

order allow,deny
deny from all

And then include it in your main script:

include($_SERVER['DOCUMENT_ROOT'].'/safe_path/salt.php');
$hpassword = sha1(SALT.$password);

This way the defined SALT is not clearly readable in the main script and it can't be accessed directly. Bye :)

Hi cereal

I am looking at sha1() function definition on http://php.net/manual/en/function.sha1.php which says:

string sha1(string $str [, bool $raw_output = false ])

Is it possible to use sha1() with salt?

You're begging for a SQL injection.

Hi cereal

I am looking at sha1() function definition on http://php.net/manual/en/function.sha1.php which says:

string sha1(string $str [, bool $raw_output = false ])

Is it possible to use sha1() with salt?

Yes is possibile, between SALT and $password there is a period, not a comma, if you write sha1(SALT,$password) then you will get an error, but with a period you extend the password: "secret_stringyour_password"

like MagicMedia says sqlinjection alive and well. Clean your input.

Also instead of mysqli_procedure you can use prepared statement.
preg_match is a life saver when it comes to validation!

Well, this PHP code from first post have too many bugs.. sorry. I apreciate the "free" work, but at least to be good ;)

$query .= "WHERE username='$username' AND hpassword='$hpassword'";

Bug: if the charset on mysql connection/table/row is set to _ci (case insensitive) this query is wrong!
Fix: extract the password value from database into php variable, and safe compare (binary, or byte-to-byte)

if ($_POST['password'] === $row['hpassword'])// true evaluation

Bug: session login must have identifier, 1 is provided

$_SESSION['valid_user'] = 1;

you must NOT register a session if the credentials is are NOT valid, because aditional php hosting resource is use to store values

$_SESSION['valid_user'] = 0;

Fix: in case when credentials are valid, extract from database and store the username value into session variable to make it unique:

$_SESSION['valid_user'] = $row['username'];

Bug: the input form HTML must provide additional secure options, to let the user choose storage client side data procedures (username and/or password). Do NOT use browser default values when security and privacy is involve.

Thanks to everyone for suggested improvements (and sorry for late reply since I was away). I must agree with all of them. The script was firstly prepared as to show concept of login to answer a thread and security part was neglected which I admit was wrong. It is too important a subject so it should be included. The following is a version with some improvements and notices.

Main changes:
1. username input cleaned and note added to use regular expression (which depends on username requirements); password not cleaned since it gets hashed
2. queries to create database, table and data removed since they depend on database used
3. table that holds user data renamed to tableofusers (just another little security good practice not to use comon names for tables and fields)
4. session variable not assigned until login is OK (to save hosting resources)
5. additional level of validation added by comparing password hashes in the script not just within the database query
6. username stored in session instead of login status (depends realy on what you need)
7. suggestions for further improvements added in comments
8. typos corrected and some other minor improvements made

There are also other ways of doing the login script of course. Please use this one as a concept and adapt it to your needs, requirements and environment. Also if you use some depreciated features (such as magic quotes) take them into account.

<?php
/*
Login script example version 2 (added improvements from other posters, thnx to all)
- displays a form for entering username and password
- cleans an input
- checks wheter username and password exist in database and match
- if no match is found, clears the form and displays an error message
- if exactly one match is found, redirects user to another page

For this login example you will need working database (mySql used here), and
some test data as shown below.

Test data for 2 users in database 'mydatabase', table 'tableofusers':

username 1: misterx
password 1: secretpassword1
hashed password1: d5f835dbe946b420e1dacde0558078b4eee36745

username 2: mistery
password 2: secretpassword2
hashed password2: fd021e83bf64b46a2a7b707441dd167bc43749d4
*/

// start session
session_start();

// unset any session data until user submits valid username and password
unset($_SESSION);

// a variable that will hold error message if needed
$msg = '';

// check wheter user has submitted a username and/or password
if(isset($_POST['username']) or isset($_POST['password'])) {

    // if both username and password are submitted and not empty
    if(isset($_POST['username']) and !empty($_POST['username']) and
       isset($_POST['password']) and !empty($_POST['password'])) {

        // prepare database connection
        $conn = mysqli_connect('localhost', 'testdbuser', 'verysecretdbpassword', 'mydatabase')
            or die ('ERROR: Can not connect to the database!');

        // asign posted values to variables but first trim possible spacess
        // (before and after the strings) and clean your input of unwanted chars
        // mysqli_real_escape_string() used here to escape unwanted input chars
        // but do use regular expressions here and remove characters that are
        // not allowed in your username - password gets hashed so it is OK)
        $username = mysqli_real_escape_string($conn, trim($_POST['username']));
        $password = trim($_POST['password']);

        // passwords stored in the users database are hashed with sha1 therefore
        // submited password has also be hashed so values can be compared
        // salt can also be used as sugested by cereal a few posts back
        $hpassword = sha1($password);

        // prepare query to select a user with submitted username and hashed
        // submitted password (to check for the match)
        // note: prepared statement can be used here for more security
        $query  = "SELECT username, hpassword FROM tableofusers ";
        $query .= "WHERE username='$username' AND hpassword='$hpassword'";

        // get the result of the query
        $res = mysqli_query($conn, $query);

        // get a row for comparison
        $row = mysqli_fetch_row($res);

        // if mysqli_query was successful and if one row was returned from query
        // and password hashes match exactly, the username and password are OK
        // (if no rows returned username and password did not match, if more than
        // 1 row returned we have entered one user more times which is incorrect
        if($res and mysqli_num_rows($res) == 1 and $row[1] === $hpassword) {

            // set session variable that identifies valid user to 1 or true
            // or like in this example store username (depends on what you need)
            $_SESSION['username'] = $username;

            // redirect user to login_success.php page
            header("location:login_success.php");

            //just in case anything goes wrong from here end the script
            die();
        }

        // if no rows are returned username and password did not match
        // (or if more than 1 row returned we have entered one user many times
        // which is incorrect)
        else {

            // unset any session data until user submits valid username and password
            // this is not quite necessary, just to be sure session is cleared
            unset($_SESSION);

            // prepare error message
            $msg = 'Please enter correct username and password!';
        }
    }

    // if only username or only password was submitted
    else {

        // unset any session data until user submits valid username and password
        // this is not quite necessary, just to be sure session is cleared
        unset($_SESSION);

        // prepare error message
        $msg = 'Please enter correct username and password!';
    }
}
?>
<!DOCTYPE html
 PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3c.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">

<head>
<title>Login</title>
</head>

<body>

<!-- Form will be submitted to itself -->
<form action="#" method="post">

<p>Please login</p>

<div class="login"><input name="username" type="text" id="username" /></div>

<div class="login"><input name="password" type="password" id="password" /></div>

<div class="login"><input type="submit" name="submit" value="Login"></div>

<!-- Possible error messages will be displayed here -->
<div class="error-message"><p><?php echo $msg ?></p></div>

</form>

</body>

</html>