Should I create the login database for this kind of website?

Question

samsons17 -4 Posting Whiz in Training

14 Years Ago

Hi..
I've just finished built my website,and now what left is to create the login page so that i could do the admin things..
For this website i just have one user only that is me..

So ,should i create the database for the login page or not?
is that i could just simply do like :

if ($password=="password"){
......
}

because i scared if i create the database, my codes for handling that database will not be secure enough..

so in my case,which one is better?
create the database or not create the database?

Thank You :)

php

5 Contributors
20 Replies
245 Views
6 Days Discussion Span
Latest Post 14 Years Ago Latest Post by swilliamrobert

FredrikDuwell 0 Newbie Poster

14 Years Ago

By creating a database you could store alot more users, but if your idea was just that you personally could log in, then the first option is probably the safest.
Edit: By using the first option you'll minimize the risk to get hacked by so called SQL-injections, and a security-tip is to set a good strong password.

Regards

Edited 14 Years Ago by FredrikDuwell because: n/a

FredrikDuwell 0 Newbie Poster

14 Years Ago

They can't hijack strings.
You could use something like:

$password = md5("your password");

if(md5($_POST['password']) == $password) {
    /* Your Login Content */
}

Have you got a login-form?

When I look at your code I see that the two strings are the same..

$password == $password

That will make everyone get access to your admin-panel with a single click.
Use the code I made above.

Regards

Edited 14 Years Ago by FredrikDuwell because: n/a

vaibhav1983 1 Junior Poster

14 Years Ago

but let say that i use the first option,and i coded it in the file named login.php..
and in that file of login.php i wrote this:
$password="password";
if (password==$password){
.........
}
is it possible that someone could hijack my website and found that login.php file and thus getting my password straight from there?
is that easy for someone to found that file?

No wonder someone could get hold of your file list and download the php file...

Keep the directories of your webserver password protected so that nobody could download the file. Rest what you are doing is ok. Its not easy to hijack a string variable in PHP.

swilliamrobert 0 Light Poster

14 Years Ago

Hi,

If you want create login page for one user only, I think no need to create database for that. You just creat one text file and create name and password like(admin#adminpass).So you need to write cod, get values and explode this values from text file using php. Then u can assign session for username, then redirect to your page as u want.

Thanks
William

vaibhav1983 1 Junior Poster

14 Years Ago

Oh ya,after corrected it,this is my login.php for now :

<?php
ob_start();

require_once("../../includes/connection.php");

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

$encrypted=sha1($mypassword);

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$password = sha1("thisismypassword");

if($encrypted == $password) 
{
    // Register $myusername, $mypassword and redirect to file "login_success.php"
    session_register("myusername");
    session_register("mypassword");
    header("location:login_success.php");
}
else {
   header("location:main_login.php");
}

ob_end_flush();
?>

Why are you using $_POST if you have only one user i.e admin to edit the website.

Also to password protect your directories on a webserver your control panel will have an option to do that, if not I recommend you change your web hosting provider.

Also what William has sugggested is good.

FredrikDuwell commented: Good information, very well written. +1

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

samsons17 -4 Posting Whiz in Training · Answer 1 · 2010-09-22T14:28:32+00:00

but let say that i use the first option,and i coded it in the file named login.php..

and in that file of login.php i wrote this:

$password="password";
if (password==$password){
.........
}

is it possible that someone could hijack my website and found that login.php file and thus getting my password straight from there?
is that easy for someone to found that file?

samsons17 -4 Posting Whiz in Training · Answer 2 · 2010-09-22T14:28:49+00:00

but let say that i use the first option,and i coded it in the file named login.php..

and in that file of login.php i wrote this:

$password="password";
if (password==$password){
.........
}

is it possible that someone could hijack my website and found that login.php file and thus getting my password straight from there?
is that easy for someone to found that file?

samsons17 -4 Posting Whiz in Training · Answer 3 · 2010-09-22T14:37:04+00:00

but let say that i use the first option,and i coded it in the file named login.php..

and in that file of login.php i wrote this:

$password="password";
if (password==$password){
.........
}

is it possible that someone could hijack my website and found that login.php file and thus getting my password straight from there?
is that easy for someone to found that file?

samsons17 -4 Posting Whiz in Training · Answer 4 · 2010-09-22T16:23:55+00:00

No wonder someone could get hold of your file list and download the php file...
Keep the directories of your webserver password protected so that nobody could download the file. Rest what you are doing is ok. Its not easy to hijack a string variable in PHP.

Sorry..but how should i keep the directories of my webserver password protected?
dont really understand what you mean..

samsons17 -4 Posting Whiz in Training · Answer 5 · 2010-09-22T16:35:22+00:00

They can't hijack strings.
You could use something like:
$password = md5("your password");

if(md5($_POST['password']) == $password) {
    /* Your Login Content */
}
Have you got a login-form?
When I look at your code I see that the two strings are the same..
$password == $password
That will make everyone get access to your admin-panel with a single click.
Use the code I made above.
Regards

Oh ya,after corrected it,this is my login.php for now :

<?php
ob_start();

require_once("../../includes/connection.php");

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

$encrypted=sha1($mypassword);

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$password = sha1("thisismypassword");

if($encrypted == $password) 
{
    // Register $myusername, $mypassword and redirect to file "login_success.php"
    session_register("myusername");
    session_register("mypassword");
    header("location:login_success.php");
}
else {
   header("location:main_login.php");
}

ob_end_flush();
?>

FredrikDuwell 0 Newbie Poster · Answer 6 · 2010-09-22T23:25:58+00:00

There's no need to use database for a single login, better to use an MD5 or SHA1-protected string as password.
To protect your directories, just add index.html in every folder or try using .htaccess.

Regards,
F. Duwell

samsons17 -4 Posting Whiz in Training · Answer 7 · 2010-09-23T06:37:37+00:00

Oh ya,after corrected it,this is my login.php for now :

<?php
ob_start();

require_once("../../includes/connection.php");

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

$encrypted=sha1($mypassword);

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$password = sha1("thisismypassword");

if($encrypted == $password) 
{
    // Register $myusername, $mypassword and redirect to file "login_success.php"
    session_register("myusername");
    session_register("mypassword");
    header("location:login_success.php");
}
else {
   header("location:main_login.php");
}

ob_end_flush();
?>

the reason why i use $POST is because i actually got to page which is the main_login.php(where user need to enter username and password) and the other one is check_login.php(where it checks wheather or not the correct informations have been entered)..

So,is it okay i am using two page for this?
or i using one page is better?
but wait..how i am gonna to use only one page for retrieving the inputs and also validates them?is it possible?

samsons17 -4 Posting Whiz in Training · Answer 8 · 2010-09-23T06:43:04+00:00

Hi,
If you want create login page for one user only, I think no need to create database for that. You just creat one text file and create name and password like(admin#adminpass).So you need to write cod, get values and explode this values from text file using php. Then u can assign session for username, then redirect to your page as u want.
Thanks
William

Oh, only one text file??
cod?how do i do this?
could you show some examples for me please?

Thank You...

swilliamrobert 0 Light Poster · Answer 9 · 2010-09-23T07:46:20+00:00

Hi,

Ok... Below code here

create Login.php
----------------
<?php
session_start();
if(isset($_REQUEST['submit'])){

$username_txt = $_REQUEST['username'];
$password_txt = $_REQUEST['password'];

$userinfo = file("login.txt");
foreach($userinfo as $key => $val) 
{
   //explode that data into a new array:  
   $data[$key] = explode(" ", $val);
}

for($k = 0; $k < sizeof($userinfo); $k++) 
{ 
    if($data[$k][0]=="$username_txt"){
        $username =  $data[$k][0];
        $password =  $data[$k][1];
    }
}

// Login Check From Login File and Textfield Values
if($username_txt == trim($username) && $password_txt == trim($password)){
    session_regenerate_id();
    $_SESSION['SESS_MEMBER_ID']=$username;
    session_write_close();
    header("location:users.php");
}else
    {
    header("location:index.php?msg=1");
    }
  fclose($fp); 
}

if($_REQUEST['msg']=='1'){

$msg = 'Username/Password Invalid';
}
    ?>
---------------------
creat username and password text field and login button in same file

header("location:users.php"); ---> change ur redirect page
----------------------

create login.txt
--------
vaibhav1983 vaibhavpass
----------


above name like username then SPACE and password
username : vaibhav1983
password : vaibhavpass
------------

thats all....

samsons17 -4 Posting Whiz in Training · Answer 10 · 2010-09-23T21:00:55+00:00

Hi,

Ok... Below code here

create Login.php

<?php
session_start();
if(isset($_REQUEST['submit'])){

$username_txt = $_REQUEST['username'];
$password_txt = $_REQUEST['password'];

$userinfo = file("login.txt");
foreach($userinfo as $key => $val) 
{
   //explode that data into a new array:  
   $data[$key] = explode(" ", $val);
}

for($k = 0; $k < sizeof($userinfo); $k++) 
{ 
    if($data[$k][0]=="$username_txt"){
        $username =  $data[$k][0];
        $password =  $data[$k][1];
    }
}

// Login Check From Login File and Textfield Values
if($username_txt == trim($username) && $password_txt == trim($password)){
    session_regenerate_id();
    $_SESSION['SESS_MEMBER_ID']=$username;
    session_write_close();
    header("location:users.php");
}else
    {
    header("location:index.php?msg=1");
    }
  fclose($fp); 
}

if($_REQUEST['msg']=='1'){

$msg = 'Username/Password Invalid';
}
?>

creat username and password text field and login button in same file

header("location:users.php"); ---> change ur redirect page

create login.txt

vaibhav1983 vaibhavpass

above name like username then SPACE and password

username : vaibhav1983
password : vaibhavpass

thats all....

Oh i see...
meaning,storing our username and password int the .txt file is the best way right?

SO,thank you so much for helping :)

vaibhav1983 1 Junior Poster · Answer 11 · 2010-09-23T22:30:18+00:00

Hi,

Ok... Below code here

create Login.php

<?php
session_start();
if(isset($_REQUEST['submit'])){

$username_txt = $_REQUEST['username'];
$password_txt = $_REQUEST['password'];

$userinfo = file("login.txt");
foreach($userinfo as $key => $val) 
{
   //explode that data into a new array:  
   $data[$key] = explode(" ", $val);
}

for($k = 0; $k < sizeof($userinfo); $k++) 
{ 
    if($data[$k][0]=="$username_txt"){
        $username =  $data[$k][0];
        $password =  $data[$k][1];
    }
}

// Login Check From Login File and Textfield Values
if($username_txt == trim($username) && $password_txt == trim($password)){
    session_regenerate_id();
    $_SESSION['SESS_MEMBER_ID']=$username;
    session_write_close();
    header("location:users.php");
}else
    {
    header("location:index.php?msg=1");
    }
  fclose($fp); 
}

if($_REQUEST['msg']=='1'){

$msg = 'Username/Password Invalid';
}
?>

creat username and password text field and login button in same file

header("location:users.php"); ---> change ur redirect page

create login.txt

vaibhav1983 vaibhavpass

above name like username then SPACE and password

username : vaibhav1983
password : vaibhavpass

thats all....

As I said earlier in this thread, Why do u need to store anything in a file. If somebody gets into your webserver and gets that text files, he gets your admin username and password. Also why do you need to decrease the performance of your application by reading a file, when you have the option of hard-coding it.

samsons17 -4 Posting Whiz in Training · Answer 12 · 2010-09-24T00:27:11+00:00

As I said earlier in this thread, Why do u need to store anything in a file. If somebody gets into your webserver and gets that text files, he gets your admin username and password. Also why do you need to decrease the performance of your application by reading a file, when you have the option of hard-coding it.

wait2...
williamrobert said that i need to store the username and password in a file,and you said dont..and as you said that what williamrobert shown me will decreasing the performance right?
So,this means i just need to continue what i've done before right and not as what williamrobert told me?
i dont know,but you two made me confusing..anyway thank you for you all :)

p/s : i just need to be very sure about this..

dipanjan dutta 0 Newbie Poster · Answer 13 · 2010-09-27T17:42:50+00:00

yes definately you should create database becoz whenever you want to change anything the data content about your page then you can log in as a administrator & change it as you can wish.just you need to create session & if you close the page then immediately the session will exit such type of logic...further more information on coding you can mail me to this mail id.....Have a good day

vaibhav1983 1 Junior Poster · Answer 14 · 2010-09-28T11:21:34+00:00

yes definately you should create database becoz whenever you want to change anything the data content about your page then you can log in as a administrator & change it as you can wish.just you need to create session & if you close the page then immediately the session will exit such type of logic...further more information on coding you can mail me to this mail id.....Have a good day

I guess you haven't read the full thread. Creating a DB for just one user won't be advisable.

Reading a file would definitely decrease the performance...

@dipanjan
Please read the complete thread and respond.

swilliamrobert 0 Light Poster · Answer 15 · 2010-09-28T11:50:23+00:00

Hi,

What kind of website you are doing now. You can do whatever you want whether text file or DB. If you have phpmyadmin panel, just create table for login. Otherwise How you going to use login page man, even for one user. If you think performance level, just leave it text file cocept. thats all....

thanks
william