would using a password protection thing such as this work?
<?
if ($pass != "mypassword") {
print('Invalid Password');
die;
}
?>
Printable View
would using a password protection thing such as this work?
<?
if ($pass != "mypassword") {
print('Invalid Password');
die;
}
?>
It will work but if your asking weather it is secure is a difernt story.
This realy depends where $pass is getting its value from and weather global variables are turned on or off. In a typical login system sessions are used to keep track of logged in users. This enables transparent transportation of user name and password from one page to another.
The problem mainly is with global variables.
http://www.domain.com/members/index.php?pass=blah
Globals being on or not doesn't really matter in this situation, unless the password matches the script dies, the source of the password doesn't change this fact, actually it is likely that Bob wishes $pass to be directly received from the user input anyhow.
This system is likely sufficiently secure for basic uses Bob, the things that don't make it secure are the following:
Password is included in the source (if the source is compromised so is everything it protects)
Lack of granularity over access controls (I deally you want to limit down to single subjects to single objects, in this case we have many subjects to most likely mny objects)
Lack of authentication propigation (users can share passwords)
These are all more advanced issues, which I am guessing are beyond the scope of your needs, I have only presented them in case you had a desire to learn beyond your current needs. :)
catch
mergh..
Programming PHP by Rasmus Waldorf and Kevin Tatroe, chapter 12.
I am trying to make it pretty secure, i know the way i just did is pretty simple, but i would like a pretty decent system that would keep out
unwanted users of my script. I have been looking into PHP Sessions so i got the following script so far...
index.php
then, main.php...PHP Code:<?php
session_start();
session_register('pass');
session_register('user');
?>
<html>
<body>
<form method="POST" action="main.php"><font size="2" face="arial">
Username: <input type="text" name="user" size="20">
Password: <input type="password" name="pass" size="20">
<input type="submit" name="submit" value=" Log In ">
</form>
</body>
</html>
and so each each page will have that coding above "whatever" witout registering the pass and username.PHP Code:<?php
session_start();
//header("Cache-control: private");
$_SESSION['pass']=$_POST['pass'];
$_SESSION['user']=$_POST['user'];
$_SESSION['password']='admin';
$_SESSION['username']='admin';
if ($_SESSION['user'] != $_SESSION['username'] || $_SESSION['pass'] != $_SESSION['password']) {
?>
<html>
<body>
<form method="POST" action="main.php"><font size="2" face="arial">
<font color=red>Login Invalid: Please Re-enter</font>
Username: <input type="text" name="user" size="20">
Password: <input type="password" name="pass" size="20">
<input type="submit" name="submit" value=" Log In ">
</form>
</body>
</html>
<?php
die;
}
?>
Whatever
Now, catch, i am fairly new to php, so what do u mean by limiting down to single subjects to single objects. Also, how would i fix it so the password isn't in the coding? Thanks for the help
another good idea might be to use a HASH for the password...
I like MD5 but SHA1 is very popular as well, although I really don't know the difference in strength...
anyway
PHP Code:<?php
$input = $whatever_input_you_want;
if (md5($input) === '1f3870be274f6c49b3e31a0c6728957f') {
echo "w00t, Access Granted!";
#Do Stuff...
}
?>
ok, a little clarification...is $input the password? and what does 1f3870be274f6c49b3e31a0c6728957f do? thanks
One thing you should add is
$pass = htmlspecialchars($pass);
$user = htmlspecialchars($user);
This will take the form input and strip any html code from it. You wouldn't want anyone entering
'?> echo '$_session['username']' <php
into the password or username field. For better protection you should also create a SQL database and store all the user and pass information in there and use the password('password') function to encrypt the password at the database level. This will keep your passwords and usernames from being in the script itself. If you have any questions about the php feel free to email me at [email protected]
xmad
Would that only be bad if you use the variable $_session ? I'm assuming, if you don't use it, then you don't have anything to worry about, am I right?Quote:
Originally posted here by xmaddness You wouldn't want anyone entering
'?> echo '$_session['username']' <php
xmad [/B]
--PuRe
a hash is a one way encryption method that allows for safe/secure verification of passwords/data...
that strange string you saw earlier was the hash of the password. MD5 is pretty strong (as far as i know) and the only attack method that i know is brute force (that's if they even have the hash).
well i was planning on using sessions also, this is kinda the code i have in mind now...
index.php...
then in main.php...PHP Code:<?php
session_start();
?>
<form method="POST" action="main.php"><font size="2" face="arial">
Username: <input type="text" name="user" size="20">
Password: <input type="password" name="pass" size="20">
<input type="submit" name="submit" value=" Log In ">
</form>
and the password and username is in pwlist.php...PHP Code:
<?php
session_start();
include('pwlist.php');
$pass = htmlspecialchars($_POST['pass']);
$user = htmlspecialchars($_POST['user']);
$_SESSION['pass']=$pass;
$_SESSION['user']=$user;
$_SESSION['username'] = 'admin';
$_SESSION['password'] = 'admin';
if (md5($username) === $_SESSION['user'] && md5($password) === $_SESSION['pass']) {
print "Access Granted";
}
else {
print "Access Denied";
}
If using sessions isn't smart, what other ways can I do this? (i'm trying to have a login page and when you login, there'll be links that can only be accessed if you're logged in) Is the way i suggested safe? I don't want any people to exploit stuff in the coding. Now also, someone said if anyone gets the source code, then the script's password can be got at, but how can the password stuff be discovered without actually having the script, and not just viewing it through the browser. ThanksPHP Code:
$username='admin';
$password='admin';
This is what I use for a login script for all my authentication systems. Its pretty simple and uses a database to authenticate.
PHP Code:<?php
session_start();
include('compconfig.php'); //database user info
if (isset($HTTP_POST_VARS['userid']) && isset($HTTP_POST_VARS['password']))
{
// if the user has just tried to log in
$userid = $HTTP_POST_VARS['userid'];
$password = $HTTP_POST_VARS['password'];
addslashes($userid);
addslashes($password);
htmlspecialchars($userid);
htmlspecialchars($password);
$sql = mysql_connect($dbhost, $dbuser, $dbpasswd);
mysql_select_db($dbname, $sql);
$query = 'select * from auth '
."where username='$userid' "
." and password=password('$password')";
$result = mysql_query($query, $sql);
$num_rows = mysql_num_rows($result);
if ($num_rows >0 )
{
// if they are in the database register the user id for the session
$HTTP_SESSION_VARS['valid_user'] = $userid;
}
}
?>
<html>
<body>
<h1>Home page</h1>
<?
if (isset($HTTP_SESSION_VARS['valid_user']))
{
echo 'You are logged in as: '.$HTTP_SESSION_VARS['valid_user'].'
';
echo '[url="logout.php"]Log out[/url]
';
}
else
{
if (isset($userid))
{
// if they've tried and failed to log in
echo 'Could not log you in';
}
else
{
// they have not tried to log in yet or have logged out
echo 'You are not logged in.
';
}
// provide form to log in
echo '<form method="post" action="authmain.php">';
echo '<table>';
echo '<tr><td>Userid:</td>';
echo '<td><input type="text" name="userid"></td></tr>';
echo '<tr><td>Password:</td>';
echo '<td><input type="password" name="password"></td></tr>';
echo '<tr><td colspan="2" align="center">';
echo '<input type="submit" value="Log in"></td></tr>';
echo '</table></form>';
}
?>
[url="members_only.php"]Members section[/url]
</body>
</html>
here is the code i wrote for security on my servers.
<?php
#########################################################
#
#Server Session authorization page/script
#
#This script will allow 3 successive attempts to log
#into the page, and will ban access from that PC after that.
#
#########################################################
session_start();
$_SESSION['visits']++;
$v= ($visit= $_SESSION['visits']);
$vr= substr(strrev($visit),0,1);
if ($vr==0) $visit .='th';
if ($vr==1) $visit .='st';
if ($vr==2) $visit .='nd';
if ($vr==3) $visit .='rd';
if (($vr>=4)&& ($vr<=9)) $visit .='th';
$ip=getenv("REMOTE_ADDR");
########################################################
#
#
# set the below variables accordungly
#
#
#########################################################
$users=array( 'user1' => 'password1',
'user2' => 'password2',
'user3' => 'password3',
'user4' => 'password4');
$domain="http://www.yourdomain.com";
function main();
{
##########################################################
#
#place the rest of your page here. In further pages,
#you can just check the status of the created session
#variable and force users to this page if the session is invalid.
#
##########################################################
}
#########################################################
#
#
# Leave the rest of the code alone
#
#
#
#########################################################
if ($v >=5)
{
echo '
<style>
body {background: #557; color: white; margin: 0; padding: 0;}
div {border: 1px solid #335;}
h1, div {background: #d99 url(images/Astronaut.jpg) center no-repeat fixed; color: black;}
p {margin: 1em 0; padding: 0;}
span.leader {font-style: italic;}
span.note {font-style: italic; font-size: 12;}
span.info {font-style: normal; font-size: 14; color:red; font-weight: normal;}
span.label {font: italic 1em Arial, sans-serif; letter-spacing: 1px;}
h1, h3, h4 {font-family: Arial, sans-serif; font-style: italic; font-weight: normal; margin: 0; text-transform: lowercase;}
h1 {letter-spacing: 0.75em; color: red; padding: 0.25em 0.33em 0.125em; border-bottom: 5px double #557; border-top: 3px double #CCF;}
h3 {font-weight: bold; color: #113;}
h4 {font-weight: bold; letter-spacing: 0.5em; padding: 0.33em 0.5em 0.167em; border-top: 1px solid #335; border-bottom: 1px solid #557; background: #77A; color: #533;}
div#note p {margin: 0; padding: 0.66em; font-size: 80%; font-family: sans-serif; line-height: 1.33; color: #335;}
div#sidebar div#credits a {padding: 0.33em 0.66em 0.167em 0.66em; letter-spacing: 0; font-weight: normal; text-align: left; font-size: 90%;}
div#main {position: absolute; top: 3em; left: 10%; width: 80%; margin: 1em; padding: 1em 1.5em;}
div#main h3 {letter-spacing: 3px; margin: 1.25em 0 0;}
div#main h3#top {margin-top: 0;}
div#main p {margin: 0.25em 0 1em; line-height: 1.25em;}
small {letter-spacing: 0; font-size: 85%;}
div.NN4 {display: none;}
</style>
<div id="main">
<h1 id="top"><span>Please Leave this Server</span></h3>
<span class="leader">Why Am I Still Here?</span>
You are attempting to access an unauthorized page or resource. Your '.$v.' attempts and IP Address:
'.$ip.' have been logged and the system administrator has been notified. Any further attempts
will be considered actionable as attempts to illegally gain access to this system.</p>
';
exit;
}
if (! pc_validate($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']))
{
header('www-Authenticate: Basic realm="Restricted Zone Server. Your IP is:'.$ip.' Authorized Users Only"');
header('HTTP/1.0 401 Unauthorized');
echo '
<style>
body {background: #557; color: white; margin: 0; padding: 0;}
div {border: 1px solid #335;}
h1, div {background: #99C url(images/Astronaut.jpg) center no-repeat fixed; color: black;}
p {margin: 1em 0; padding: 0;}
span.leader {font-style: italic;}
span.note {font-style: italic; font-size: 12;}
span.info {font-style: normal; font-size: 14; color:red; font-weight: normal;}
span.label {font: italic 1em Arial, sans-serif; letter-spacing: 1px;}
h1, h3, h4 {font-family: Arial, sans-serif; font-style: italic; font-weight: normal; margin: 0; text-transform: lowercase;}
h1 {letter-spacing: 0.75em; color: #446; padding: 0.25em 0.33em 0.125em; border-bottom: 5px double #557; border-top: 3px double #CCF;}
h3 {font-weight: bold; color: #113;}
h4 {font-weight: bold; letter-spacing: 0.5em; padding: 0.33em 0.5em 0.167em; border-top: 1px solid #335; border-bottom: 1px solid #557; background: #77A; color: #335;}
div#note p {margin: 0; padding: 0.66em; font-size: 80%; font-family: sans-serif; line-height: 1.33; color: #335;}
div#sidebar div#credits a {padding: 0.33em 0.66em 0.167em 0.66em; letter-spacing: 0; font-weight: normal; text-align: left; font-size: 90%;}
div#main {position: absolute; top: 3em; left: 10%; width: 80%; margin: 1em; padding: 1em 1.5em;}
div#main h3 {letter-spacing: 3px; margin: 1.25em 0 0;}
div#main h3#top {margin-top: 0;}
div#main p {margin: 0.25em 0 1em; line-height: 1.25em;}
small {letter-spacing: 0; font-size: 85%;}
div.NN4 {display: none;}
</style>
<div id="main">
<h1 id="top"><span>Welcome to the Brownwood Server</span></h3>
<span class="leader">Where Am I?</span>
You are attempting to access a restricted zone server. This Server is for authorized personell only.</p>
<span class="note">
(Note, your login should be the same as your network login, Please contact your Team Leader
if you are not able to log in)</span> </p>
';
$ip = getenv("REMOTE_ADDR");
echo "<span class=\"info\"> <center>All traffic is logged. You are visiting from remote ip: $ip";
echo " and this is your $visit visit</center>
</span>";
if ($v >=4)
{
echo "<span class=\"info\"> <center>Please Desist, the Network Administrator has been automatically notified of your repeated attempts to access this server";
}
echo substr(md5(date("ymd")),0,6);
exit;
}
function pc_validate($user,$pass)
{
global $users;
if (isset($users[$user])&&($users[$user] == $pass))
{
$_SESSION['visits']=-1;
echo '
<style>
body {background: #557; color: white; margin: 0; padding: 0;}
div {border: 1px solid #335;}
h1, div {background: #99C url(images/Astronaut.jpg) center no-repeat fixed; color: black;}
p {margin: 1em 0; padding: 0;}
span.leader {font-style: italic;}
span.note {font-style: italic; font-size: 12;}
span.info {font-style: normal; font-size: 14; color:red; font-weight: normal;}
span.label {font: italic 1em Arial, sans-serif; letter-spacing: 1px;}
button { height:18pt; font:8pt; padding:0 0 0 0; border-width:1 1 1 1; font-family:sans-serif; }
*.buRed { width: 60px; height: 20pt;background: #feeeee; border-color: Red ; color: Red ; font: 10pt;}
*.buBlue { width: 60px; height: 20pt;background: #eeeefe; border-color: Blue ; color: Navy ; font: 10pt;}
input { height: 13pt ; font: 7pt; border-width: 1 1 2 1;background:#eeeefe;}
h1, h3, h4 {font-family: Arial, sans-serif; font-style: italic; font-weight: normal; margin: 0; text-transform: lowercase;}
h1 {letter-spacing: 0.75em; color: #446; padding: 0.25em 0.33em 0.125em; border-bottom: 5px double #557; border-top: 3px double #CCF;}
h3 {font-weight: bold; color: #113;}
h4 {font-weight: bold; letter-spacing: 0.5em; padding: 0.33em 0.5em 0.167em; border-top: 1px solid #335; border-bottom: 1px solid #557; background: #77A; color: #335;}
div#note p {margin: 0; padding: 0.66em; font-size: 80%; font-family: sans-serif; line-height: 1.33; color: #335;}
div#sidebar div#credits a {padding: 0.33em 0.66em 0.167em 0.66em; letter-spacing: 0; font-weight: normal; text-align: left; font-size: 90%;}
div#main {position: absolute; top: 3em; left: 10%; width: 80%; margin: 1em; padding: 1em 1.5em;}
div#main h3 {letter-spacing: 3px; margin: 1.25em 0 0;}
div#main h3#top {margin-top: 0;}
div#main p {margin: 0.25em 0 1em; line-height: 1.25em;}
small {letter-spacing: 0; font-size: 85%;}
div.NN4 {display: none;}
</style>';
main();
}
?>
well i could give the MySQL a try, but i have a few questions. What is in 'compconfig.php', How would i add/delete members, and lastly, how would i do this for multiple pages that i want to link that can only be accessed when you're logged in.
And, Fatherstorm, i think your way of doing stuff is a little too compliated for me o.0 lol but thanks anyway
As far as your other pages. All you have to do is check to see if the Session Variable has been set. if not, then write a redirect to the login page.
PHP Code:<?php
//This file will include all the information that pertains to your database
//This information is kept in a seperate file so that you can just change one file, and all your
//database information is changed in the rest of the php files. just name this compconfig.pfp
//and do an include('compconfig.php'); at the top of any php files that access the database
$dbhost = 'localhost'; //put your host here, if your running the database put localhost
$dbname = 'auth'; //databse name goes here
$dbuser = 'john'; //databse user login here
$dbpasswd = 'abc123'; //database password here
?>
Pretty simple eh?
To add users I did this script.
PHP Code:?php
session_start();
include('compconfig.php');
//add short form variables
$username = $_POST['username'];
$email = $_POST['email'];
$password1 = $_POST['password1'];
$password2 = $_POST['password2'];
//make sure the user didn't put in a huge string as a joke
if(strlen($username)> 10)
{
echo 'Please limit your username to only 10 characters.';
exit;
}
if(strlen($email)> 40)
{
echo 'Please limit your email size to only 40 characters.';
exit;
}
if(strlen($password1)> 30)
{
echo 'Please limit your password size to only 30 characters.';
exit;
}
//trim the whitespace around the entry
$username = trim($username);
$email = trim($email);
$password1 = trim($password1);
$password2 = trim($password2);
//prevent any type of html characters or hacking attempts to be processed.
$username = htmlspecialchars($username);
$email = htmlspecialchars($email);
$password1 = htmlspecialchars($password1);
$password2 = htmlspecialchars($password2);
//did they enter a name?
if (!$username)
{
echo 'You forgot to enter a username!';
echo '
[url="register.html"]Go Back[/url]';
exit;
}
//did they enter an email?
if (!$email)
{
echo 'You forgot to enter an email address!';
echo '
[url="register.html"]Go Back[/url]';
exit;
}
//did they enter the passwords?
if (!$password1 || !$password2)
{
echo 'You forgot to enter the passwords';
echo '
[url="register.html"]Go Back[/url]';
exit;
}
//do the passwords match?
if ($password1 != $password2)
{
echo 'Your passwords do not match!';
echo '
[url="register.html"]Go Back[/url]';
exit;
}
//They are ready to register, so now we make the data safe for the database by adding escape characters
$username = addslashes($username);
$email = addslashes($email);
$password1 = addslashes($password1);
$password2 = addslashes($password2);
//Check to see if the user name is already in the database
$sql = mysql_connect($dbhost, $dbuser, $dbpasswd);
mysql_select_db($dbname, $sql);
$query = 'select * from auth '
."where username='$username' ";
$result = mysql_query($query, $sql);
if(!$result)
{
echo 'The database is not available at this time.';
echo '
Please try your query at another time.
Error = 1';
exit;
}
$num_rows = mysql_num_rows($result);
if ($num_rows >0 )
{
echo 'Sorry, but the username '.stripslashes($username).' is already taken.';
echo '
Please choose another username.';
echo '
[url="register.html"]Go Back[/url]';
exit;
}
//test to see if the e-mail is already in the system, this prevents double registration
mysql_select_db($dbname, $sql);
$query4 = 'select * from auth '
."where email='$email' ";
$result4 = mysql_query($query4, $sql);
if(!$result4)
{
echo 'The database is not available at this time.';
echo '
Please try your query at another time.
Error = 4';
exit;
}
$num_rows4 = mysql_num_rows($result4);
if ($num_rows4 >0 )
{
echo 'Sorry, but the email address '.stripslashes($email).' is already registered.';
echo '
Please choose another email address.';
echo '
[url="register.html"]Go Back[/url]';
exit;
}
//If all goes well, register the user.
$query2 = 'insert into auth values '
."( '', '$username', password('$password1'), '$email', 'no', 'no' )";
$result2 = mysql_query($query2, $sql);
if(!$result2)
{
echo 'The database is not available at this time.';
echo '
Please try your query at another time.
Error = 2';
exit;
}
$query3 = 'select * from auth '
."where username='$username' ";
$result3 = mysql_query($query, $sql);
if(!$result3)
{
echo 'The database is not available at this time.';
echo '
Please try your query at another time.
Error = 3';
exit;
}
$num_rows2 = mysql_num_rows($result3);
if ($num_rows2 >0 )
{
echo "Thank you for registering ".stripslashes($username)."!";
echo "
You may now <a href = 'authmain.php'>login</a>.";
}
?>
Simply either add a register.html form and have it refer to this script, or just add the form in there somewhere. You can test this script by going to
http://www.planetmaddness.com/comp/register.html
xmad
i think i almost got it, but i have a few more quetsions. I'm not too familier with the "tables"thing in mySQL so i have phpMyAdmin. What do i put in the table name and amount of fields area? Also, what would i put in the other areas in MyAdmin? Thanks
IN my admin put the following code in a sql query.
Quote:
create table auth (
userid int unsigned not null auto_increment primary key,
username varchar(10) not null,
password varchar(30) not null,
email varchar(40) not null,
activation varchar(3) not null,
admin varchar(3) default 'no' not null
);
insert into auth values
( '1', 'user', 'pass', '[email protected]', 'yes', 'no');
insert into auth values
( '', 'testuser', password('test123'), '[email protected]', 'yes', 'no' );
grant select, insert, update, delete
on auth.*
to databaseusernamehere
identified by 'databasepasshere';
This will insert the table headings and prepare the database for use. It will also insert two example users.
xmadd
ok, i have a few more problems. It seems that I cant login. Now, i'm connecting to the database, but i am not sure if i set the table up right or anything, and
myPHPadmin did give me an error message when i tried to set it up, but it still showed the table and stuff, so i'm not sure if there's anything wrong with it. I just get "Could not Log you in"
Does this have to do with the password('$password')"; part and what does the password() thing do?
Anwyay, i really appresiate all the help, and thanks for bearing with me o.0
What error message did you recieve. It may have been telling you that you don not have authority to grant permissions, which shouldn't be needed on a phpmyadmin type database anyway. Thats really only if your loading the database on your own system. Usually when a database is generated from a hosting company, they set up all the user grant information for you.
If the table is in there, then you should be fine.
The password('password') function is an encryption that MySQL uses for passwords. If you look at the table created
select * from auth;
The first insert in the database is an example of not using the password('password') utility. If you look at the table, you will notice the password in plaintext.
The second insert should show where you inserted password('test123') as 6j9h576KHn86H4mk4 or some other variation of a hash. This just keeps passwords entered into the database secure.
Are you using the testuser login?
Try
login: user
pass: pass
Also try the other,
login: testuser
pass: test123
The databse structure is basically this. The First column is the UserID: If you notice, it is an auto-increment function, that will automatically increase its number by 1 anytime a new user is added to the databse. It is good to have a unique ID attached to all things in the database.
The second column is the username, third is the password, the fourth is the e-mail of the person, and the fifth and sixth are things I added to the system. By default, when someone registers, they are marked as admin no, and activated, no. This was something that was put in to limit access to admin scripts, (add remove user, activate user, etc etc). The activation thing is also in there because at one point I will require user to activate themselves via their email. This ensures that the e-mail provided is actually theirs.
Let me know if you have any more questions.
xmadd
Ok, i think i got most of it. I've narrowed the problem down to the "password('pass') thing, cause it works fine with the first example, but
with the fuction, it wont work unless you put the hash in. Here's what i entered into the SQL thing...
and i got this..Code:create table auth (
userid int unsigned not null auto_increment primary key,
username varchar(10) not null,
password varchar(30) not null,
email varchar(40) not null
);
insert into auth values
( '1', 'user', 'pass', '[email protected]');
insert into auth values
( '', 'admin', password('admin'), '[email protected]');
grant select, insert, update, delete
on auth.*
to tsr-corp
identified by 'password';
but besides that, it seems to be working pretty well ^_^Code:Error
SQL-query :
GRANT SELECT , INSERT , UPDATE , DELETE ON auth . * TO tsr - corpIDENTIFIED BY 'admin'
MySQL said:
#1064 - You have an error in your SQL syntax near '-corp
identified by 'password'' at line 3
Yeah, thats most likly because your using someone elses sql database and they don't want you messing with password and users to that database. They don't want you to be able to change any permissions on your database without them knowing. So all you have to do is take out that last part and just finish with the last insert statement.
Code:create table auth (
userid int unsigned not null auto_increment primary key,
username varchar(10) not null,
password varchar(30) not null,
email varchar(40) not null
);
insert into auth values
( '1', 'user', 'pass', '[email protected]');
insert into auth values
( '', 'admin', password('admin'), '[email protected]');
Thats it...
If you look in the database you should notice that your password('admin') has be hashed in the actual database.
xmad
I just reread your last post again and noticed you said that the password('admin') was not working right. Are you inserting the password admin in correctly?
It should work fine. Check to make sure your script is right and is checking the databses pass by doing the query as
$query = 'select * from auth '
."where username='$userid' "
." and password=password('$password')";
the password=password('$password') part is the important part. Its querying the database by taking the seed, (admin) and passing it into a hash, and then comparing those hashes.
That would be the only reason I could think of for it not to be working properly. Make sure your table is named
auth
and that should be it.
Let me know what happens.
xmad
Please refer
Programming PHP by Rasmus Waldorf and Kevin Tatroe, chapter 12.
ok, i think i got it, well kinda, i think it was the creating a table part where it messed up, cause the password encyrt thing is working now, although the non-encrypted password doesn't work, but i dont think that should be a problem because i would probably encrypt them. I really appresiate all the help. I'll probably try to do an edit password and forgot password thing, but i'll email you if i have problems. Again, much thanks ^_^
this whole thread is really helpful! Cheers guys, i have obne question really though on the database stuff...i havent done that since I left school, are there any tutorials on setting up the databases from scratch for a newbie with a php login script in mind??
Thanks
Sco
I personally learned everything from the MySQL documentation. Its actually pretty good documentatin. here are some other sites that have tutorials on PHP/MySQL relationships (and database creation)
http://hotwired.lycos.com/webmonkey/...tutorial4.html
http://www.mysql.com/doc/en/Tutorial.html
http://www.freewebmasterhelp.com/tutorials/phpmysql/1
That should get you started. Let me know if you have any specific questions that arise.
xmaddness
Planet Maddness Industries
http://www.planetmaddness.com
An idea similar to xmaddness's
Get it to only accept the a-z A-Z 0-9 characters for your user name and password that way you dont get any unwanted/ unknow characters and scripts doing dodgy things to your system. :)
DHabit