PHP MYSQL login system - From the ground up

Here is my inc.db.php which contains all database related classes/methods
Should I keep all functions in the same file or separate?

Allright,
I have made only a constructor before I go to login issues please tell me if this is best way to do it if not what do you suggest?

<?php
        //class for db connections and manipulations
	class Connectdb{
		//private values
		private $dbuser="testuser";
		private $dbpass="testpass";
		private $dbhost="localhost";
		private $dbname="testdb";
		
		private function __construct(){
			$conn = mysql_connect($this->dbuser, $this->dbpass , $this->dbhost) or die("Cannot connect to database: Error - ".mysql_error());
			mysql_select_db($this->dbname);
			return $conn;
		}
	
	}
?>

Ok, you've made a db connection.
Why not write the rest of it?
The only thing I can add is to use POST instead of GET which , surprisingly, I see many people doing here.
Encrypt the passwords.
Now the ball is in your court!

Ev - you haven't actually done anything w.r.t. login - just produced a connection script. Are you going to follow up or are you waiting for input.

Yes, Please go ahead all while contributing to the script.
Even I am eager to see the login script evolving as OOP pattern.
I recommend generalizing the DB class first and inheritation of it later to have the construct passed with some random flag too, which will avoid the mysql injection.
Also the query filtering and the comparision of every table in the query from the existing list declared in the DB class.

It seems this one function is ok. The reason I wanted your input on this is because I wanted it to go right. I know it is almost 0.5 of big number but I see it is ok and I will now proceed. No sooner I will start my coding

Thanks

Add a member for the port too, not all installs are on 3306.

Yep if you want to follow the code, simpla database will be used throughout is done via this

CREATE TABLE `loginsys`.`login` (
`id` INT( 25 ) NOT NULL AUTO_INCREMENT ,
`username` VARCHAR( 25 ) NOT NULL ,
`password` VARCHAR( 100 ) NOT NULL ,
PRIMARY KEY ( `id` )
) ENGINE = MYISAM ;

Yep if you want to follow the code, simpla database will be used throughout is done via this

CREATE TABLE `loginsys`.`login` (
`id` INT( 25 ) NOT NULL AUTO_INCREMENT ,
`username` VARCHAR( 25 ) NOT NULL ,
`password` VARCHAR( 100 ) NOT NULL ,
PRIMARY KEY ( `id` )
) ENGINE = MYISAM ;

Wow 25 digit id ! We only have 4 billion people on the planet! LOL
Also, I like to declare it as unsigned so that the entire size is available.
I believe that INT reserves half for negative numbers which is not necessary for an id.
The password field seems a bit large too.

Wow 25 digit id ! We only have 4 billion people on the planet! LOL

Mh! what do you suggest?

Also, I like to declare it as unsigned so that the entire size is available I believe that INT reserves half for negative numbers which is not necessary for an id.

Thanks, noted. I was ignorant of that.

The password field seems a bit large too.

I reserved it for encrypted values. I dont know what technique I will use and what it will take that's why. what do you also suggest?

Thanks

As far as your 'id' type goes, int(11) unsigned should be good. It's a pretty popular size as far as I've noticed. As far as your password type goes, 100 is very large. I would imagine 32-40 would be plenty depending on your encryption method. I've been toying with some sha1 encryption methods lately while I've been learning.

I'm just learning all this at the moment, so correct me if I'm wrong. Anything I've said comes from all the reading I've been doing on this over the past couple weeks. I'm very interested in this topic so I'll continue to follow and offer any help I can, and learn along the way. OO PHP has confused me quite a bit so far, so I don't know how much help I could be.

An id of 11 is more than adequate.

The longest encryption strings I've sees in use is 48 chars.
I don't think you need even that much!
It depends on how paranoid you are about hackers.
Unless you are doing this for the DOD m, bank or NSA, where they are willing to put a lot of effort into the task, any reasonable MD5 encryption should be fine.

I second MD5 for normal use.

Just a note: I've come across lesser used encryptions that need a binary field, instead of varchar, to work correctly.

An id of 11 is more than adequate.

The longest encryption strings I've sees in use is 48 chars.
I don't think you need even that much!
It depends on how paranoid you are about hackers.
Unless you are doing this for the DOD m, bank or NSA, where they are willing to put a lot of effort into the task, any reasonable MD5 encryption should be fine.

I wouldn't use MD5 any longer, there are a multitude of sites online where you can enter an MD5 hash and it will return a valid string within seconds.
Easiest solution would be to salt the string first:

<?php
$string = 'something';
$salt = '*~s#(';
$hash = md5($string.$salt);
?>

It will still generate the nice 32 char hash, but will be harder to reverse :)

OFC, MD5 on its own is good enough for a personal site, but not much else. If you are allowing other people to sign up i.e a community site, you want something a bit more, well more.

Salted hash should be fine for md5 - as long as salt isn't a common word. The sites offering reversal of md5's are often 'dictionaries' or rainbow sites that have a huge db of words - they don't tend to work very well with gibberish passwords. They also tend to focus on English words.

I've heard that double hashing can be useful:

$salt = '5\/p3r<@(1fr@81(15t1<3+p1@(1d0c0\/5'; //supercalifragilisticexpialidocious
$hash = md5(md5($salt . $pass));

Salted hash should be fine for md5 - as long as salt isn't a common word. The sites offering reversal of md5's are often 'dictionaries' or rainbow sites that have a huge db of words - they don't tend to work very well with gibberish passwords. They also tend to focus on English words.

I've heard that double hashing can be useful:

$salt = '5\/p3r<@(1fr@81(15t1<3+p1@(1d0c0\/5'; //supercalifragilisticexpialidocious
$hash = md5(md5($salt . $pass));

Yes, my main point was MD5 is not very good on its own :D

Alot of people probably use dictionary words/names/dates for passwords.

There is no way to actually reverse an MD5, so these sites just have a huge number of hashes and a string that will generate the hash, not necessarily the actual password though.

Thanks guys I will do that. But before I jump to encryption (I know what sparked that but let's reserve a little bit). I want to have a single function to sanitize the POST array. Below is the list of google return. I don't want overkill in doing this but I want to deal with something clean in next stage. So, what are other functions to sanitize/clean my variable I need. I see addslashes and magic quotes but I'm not expert.
Thanks

////////////////////////////// LINKS//////////////////////////
http://fudforum.org/forum/index.php?t=msg&goto=39457&
http://snipplr.com/view/20310/function-to-clean-post-variables/
http://stackoverflow.com/questions/1610582/cleaning-post-variables

And here is the Method of the login class (the Function)

public cleanValue($arrayValue){
    			$value = array_map('mysql_real_escape_string' , $arrayValue);
    			return $value; 
    		}

filter_var is something that was introduced in PHP 5.2 that may be worth looking at. They are PHP filters that are pretty easy to use and are able to sanitize and validate data.

Here's a short easy to follow tutorial on them.
http://net.tutsplus.com/tutorials/php/sanitize-and-validate-data-with-php-filters/

And of course the PHP Manual.
http://php.net/manual/en/function.filter-var.php

Sorry guys. I recently get in and out the internet so bear with me when I get lost for sometime. So you say that PHP filters will be enough?

Ok, based on suggestion and tutorial I am glad to post my login form and some login function foundation functions to clean data. Since I will register users' First and Last names, email address and username/password I have function to sanitize names and email. See it and scrutinize before I move to another thing. As I said, I will be out the net until tomorrow so I will respond there!
Cheers :)

login form

<html>
	<head>
		<title>Login in Site</title> 
		<link rel="stylesheet" type="text/css" href="/loginsys/site.css" />
		<script type="text/javascript" src="/loginsys/lib/jquery.js">	</script>
		<script type="text/javascript" src="/loginsys/lib/form.js">	</script>
		
	</head> 

	<body>
		<form action="/loginsys/login.php" method="POST">
			<p></p>
			<table cellpadding="5px" id="form">
				<tr>
					<td>First Name:</td>
					<td><input type="text" name="fname" /></td>
				</tr>
				<tr>
					<td>Last Name:</td>
					<td><input type="text" name="lname" /></td>
				</tr>
				<tr>
					<td>Email:</td>
					<td><input type="text" name="email" /></td>
				</tr>
				<tr>
					<td>Username:</td>
					<td><input type="text" name="usrname" /></td>
				</tr>
				<tr>
					<td>Password:</td>
					<td><input type="password" name="passwd" /></td>
				</tr><tr>
					<td></td>
					<td><center><input type="submit" value="Login" /></center></td>
				</tr>
			</table>
		</form>
	</body>

</html>

database/login class so far

<?php
        //class for db connections and manipulations
    class Connectdb{
        //private values
        private $dbuser="someusername";
        private $dbpass="somepassword";
        private $dbhost="yourserver";
        private $dbname="somedb";
        
        public function __construct(){
            $conn = mysql_connect($this->dbuser, $this->dbpass , $this->dbhost) or die("Cannot connect to database: Error - ".mysql_error());
            mysql_select_db($this->dbname);
            return $conn;
        }
    
    }//end connectdb
    
    class Login extends Connectdb{
    		public function __construct(){
    			parent::__construct();

    		}
    		
    		public cleanValue($arrayValue){
    			$value = array_map('mysql_real_escape_string' , $arrayValue);
    			return $value; 
    		}
    		
    		//to sanitize Names/string like username
    		public function cleanNames($badVariable) {
				$cleaned =  filter_var($badVariable, FILTER_SANITIZE_STRING);
				if(!$cleaned) {
					return false;	
					}
				else {
					$cleaned = $this->cleanValue($cleaned);	
					if(!$cleaned) {
						return false;
						}
					else {
						return $cleaned; 
						}//inner else 
					}//end else
			    			 
    		}
    		
    		//sanitize and validate email
    		public function cleanEmail($badVariable) { 
				$cleaned =  filter_var($badVariable, FILTER_SANITIZE_EMAIL);
				if (!$cleaned){
					return false; 
					}
				else {
					$cleaned =  filter_var($badVariable, FILTER_VALIDATE_EMAIL);
					if (!$cleaned){	
					return false;
					}
					else {
						$cleaned = $this->cleanValue($cleaned);	
						return $cleaned;
						}//inner else 
					}//END ELSE 
			    			 
    			}
    		
    			
    		
    
    }//end login
?>

Ok I something is wrong on above code. Line 24 I forgot to write keyword

function

Anyway, I want to write a empty validation function in PHP but I'm tempted to do it in Javascript. What do you suggest? I do it with in JS so that no empty form is submitted or allow submission but validate on server with PHP?
Thanks

while thinking, I wrote this function to check for empty strings

public  function checkEmpty($variable){
        if(($variable==NULL ||(empty ($variable)))){
            return false;
        }//end if
        else return true;
    }

I would use JavaScript to check the form has been filled correctly before being submitted, but you should also validate with PHP as some people may have JS turned off.

The advantage of using JS, means that the user doesn't have to reload the page to be told that the form is incorrect. You can tell the user it is missing something before they click the submit button.

Yep!
I do both JS and PHP
and now what about the function above? Is it satisfactory to the need?

No need for both checks in that function.
empty() will return true if the value is null so change:

if(($variable==NULL ||(empty ($variable))))

to

if(empty ($variable))

That is done!
Is there anything I must do to variables before I go to the heart of the issue?
I will leave for any comment before I go to Login/register issue

Other than checking that the variables are what you expect (for example, a email address is an email address) there is not much else.

Also, remember to mysql_real_escape_string() all vars before the query.

Other than checking that the variables are what you expect (for example, a email address is an email address) there is not much else.

That is what I see. I have implemented JS for only checking Empty fields and the rest will be done in PHP

Also, remember to mysql_real_escape_string() all vars before the query.

I have that in one of my clean up functions

June 0f 2007......that ended your write from the ground up? Or did you add more and show a finished product somewhere else?

June of 2007? His last comment was 2 days ago. I think you're looking at his "Join Date".