Presentation is loading. Please wait.

Presentation is loading. Please wait.

PHP: Login FdSc Module 109 Server side scripting and Database design

Published byCaitlin Nelson Modified over 6 years ago

Similar presentations

Presentation on theme: "PHP: Login FdSc Module 109 Server side scripting and Database design"— Presentation transcript:

1 PHP: Login FdSc Module 109 Server side scripting and Database design
2011

2 Example We will create a login page that asks the user to enter a username and password. If the credentials entered by the user match those hard-coded into the script, a session variable called login will be set to "OK", and the user will be directed to the protected page. The protected page will check login is "OK", If it is not OK, the user is redirected to the login screen.

3 PHP Sessions A session is the time spent by a user browsing a particular website. When a session is created, a unique Session ID is set up for the user that is subsequently made available to each page the user visits. The Session ID is stored in a PHP system variable called PHPSESSID. This allows information to be shared across pages (it can also be stored in cookies)

4 Uses When a user starts a shopping cart the items added to the cart could be contained in session data In our case we will use session data to say if a user is logged in and able to view protected pages

5 Session initiation <?php   session_start(); ?> The session_start() function checks for an existing session. If one is not found, it creates a new session and gives it a Session ID.

6 Storing a simple counter value
Session information stored in session variables using the $_SESSION array. A simple counter variable is created for the session and is set to 1 <?php session_start(); $_SESSION['count'] = 1; ?>

7 session01.php <?php   session_start();   $_SESSION['count'] = 1; ?> <html>   <head>     <title>Some web page</title>   </head>   <body>     <?php       $_SESSION['count'] = 1;       echo "Counter value = ".$_SESSION['count'];     ?>   </body> </html>

8 Checking if a session exists
To check whether a variable exists and has been assigned use the isset() function It returns true if the variable has been set (given a value) and false otherwise. We will use the isset() function to check whether the count variable exists and has been set. If it has, the code will increment the value of count. Else, the count variable will be created and set to 1.

9 session02.php <?php   session_start();   if(isset($_SESSION['count']))     $_SESSION['count'] = $_SESSION['count'] + 1;   else     $_SESSION['count'] = 1; ?> <html>   <head>     <title>Some web page</title>   </head>   <body>     <?php       echo "Counter value = ".$_SESSION['count'];     ?>   </body> </html>

10 Session checker The result is initially the same, but each time the page is refreshed the counter increases by one

11 Clearing a session Clear the contents of a particular session variable using the unset() function The following script will clear the count variable when it reaches 10 The page will then say the count does not have a value and then start again

12 session03.php <?php   session_start();   if(isset($_SESSION['count']))   {     $_SESSION['count'] = $_SESSION['count'] + 1;       if($_SESSION['count'] > 10)         unset($_SESSION['count']);   }   else     $_SESSION['count'] = 1; ?> <html>   <head>     <title>Some web page</title>   </head>   <body>     <?php       if(isset($_SESSION['count']))         echo "Counter value = ".$_SESSION['count'];       else         echo "The counter does not currently have a value!";     ?>   </body> </html>

13 Login For this example the user name and password will be stored in the script Later we will use multiple user names and passwords stored in a database table

14 Pages Login page: Protected page:
establishes a session and asks the user to enter a username and password. if the credentials match, a session variable called login will be set to "OK", the user will be directed to: Protected page: checks $_SESSION value is "OK", if true the user is redirected to the login screen

15 login.php Displays a form to enter the user name and password If they match it calls protected.php If they are blank or don’t match, it calls itself

16 login.php (part 1) <?php $user = $_POST["username"]; $pass = $_POST["password"]; $validated = false; session_start(); if($user!=""&&$pass!="") { if($user=="jsmith"&&$pass=="letmein" ) $validated = true; if($validated) { $_SESSION['login'] = "OK"; $_SESSION['username'] = $user; $_SESSION['password'] = $pass; header('Location: protected.php'); } else $_SESSION['login'] = ""; echo "Invalid username or password."; else $_SESSION['login'] = ""; ?>

17 login.php (part 2) <html>   <body>     <h1>Login Page</h1>     <p>Please enter your username and password:</p>     <form action="login.php" method="post">       <table>         <tr>           <td align="right">Username: </td>           <td><input size=\"20\" type="text" size="20" maxlength="15" name="username"></td>         </tr>        >  <tr>           <td align="right">Password: </td>           <td><input size=\"20\" type="password" size="20" maxlength="15" name="password"></td>         </tr>         <tr>           <td> </td>           <td colspan="2" align="left"><input type="submit" value="Login"></td>         </tr>       </table>     </form>   </body> </html>

18 protected.php <?php session_start(); if($_SESSION['login'] != "OK") { header('Location: login.php'); exit(); } ?> <html> <head <title>Protected Web Page</title> </head> </html> <body> <h1>Protected Web Page</h1> <?php echo "<p>You have successfully logged in!</p>"; echo "<p>Your username is: "; echo $_SESSION['username']; echo "<br/>"; echo "Your password is: "; echo $_SESSION['password']; echo "</p>" ?> </body> </html>

19 Login result If the user name “jsmith” and password “letmein” are entered correctly, then the protected page is displayed If the protected page is accessed without being logged in, then the login page is displayed

20 Database login Create a password table
CREATE TABLE user (   userID int not null auto_increment,   primary key(userID),   username varchar(20) not null,   password varchar(20) not null );

21 Create an admin user insert into user (username, password) values ("admin", "letmein");

22 Modify the login code Check with the database if the user and password are present $sql = "SELECT * FROM user WHERE username = '$user' AND password = '$pass'"; $rs = mysql_query($sql,$conn); $result = mysql_num_rows($rs); if ($result > 0) $validated = true;

23 modified login.php (part 1)
<?php   $user = $_POST["username"];   $pass = $_POST["password"];   $validated = false;   session_start();   $_SESSION['login'] = "";   if($user!="" && $pass!="")   {     $conn ("ourhost", "studentnn", "password") or die ("Sorry - unable to connect to MySQL database.");     $rs ("admin", $conn) or die ("error");     $sql = "SELECT * FROM user WHERE username = '$user' AND password = '$pass'";     $rs = mysql_query($sql,$conn);     $result = mysql_num_rows($rs);     if ($result > 0) $validated = true;     if($validated)  {       $_SESSION['login'] = "OK";       $_SESSION['username'] = $user;       $_SESSION['password'] = $pass;       header('Location: protected.php');     }     else     {       $_SESSION['login'] = "";       echo "Invalid username or password.";     }   }   else $_SESSION['login'] = ""; ?>

24 modified login.php (part 2)
<html>   <body>     <h1>Login Page</h1>     <p>Please enter your username and password:</p>     <form action="login.php" method="post">       <table>         <tr>           <td align="right">Username: </td>           <td><input size=\"20\" type="text" size="20" maxlength="15" name="username"></td>         </tr> <tr>           <td align="right">Password: </td>           <td><input size=\"20\" type="password" size="20" maxlength="15" name="password"></td>         </tr>         <tr>           <td> </td>           <td colspan="2" align="left"><input type="submit" value="Login"></td>         </tr>       </table>     </form>   </body> </html>

25 Modify the protected page
If the admin logs in, then allow them to create a new user if($_SESSION['username'] == 'admin')     {       echo "<p><a href='create_user.php'>Create a new user</a></p>";     }

26 Modified protected.php
<?php session_start(); if($_SESSION['login'] != "OK") { header('Location: login.php'); exit(); } ?> <html> <head <title>Protected Web Page</title> </head> <body> <h1>Protected Web Page</h1> </html> <?php     echo "<p>You have successfully logged in!</p>";     echo "<p>Your username is: ";     cho $_SESSION['username'];     echo "<br/>";     echo "Your password is: ";     echo $_SESSION['password'];     echo "</p>";     if($_SESSION['username'] == 'admin')     {       echo "<p><a href='create_user.php'>Create a new user</a></p>";     }   ?> </body> </html>

27 Create a user This page is similar to the login page but entering the details creates a new entry in the table Save this as create_user.php

28 create_user.php <?php session_start(); if($_SESSION['login'] != "OK") { header('Location: login.php'); exit(); } ?> <html> <body> <h1>Create a new user</h1> <p>Please enter details for the new user:</p> <form action="insert_user.php" method="post">   <table>     <tr>       <td align="right">Username: </td>       <td><input size=\"20\" type="text" size="20" maxlength="15" name="new_username"></td>     </tr>     <tr>       <td align="right">Password: </td>       <td><input size=\"20\" type="password" size="20" maxlength="15" name="new_password"></td>     </tr>     <tr>       <td> </td>       <td colspan="2" align="left"><input type="submit" value="Create user"></td>     </tr>   </table> </form> </body> </html>

29 Insert user The create_user form calls insert_user
The insert script has to: Insert the new user into the table Offer a choice of continuing the application or logging out

30 insert_user.php <html> <body> <h1>User Creation</h1> <?php   session_start();   if($_SESSION['login'] != "OK")   {     header('Location: login.php');     exit();   }            $new_user = $_POST["new_username"];   $new_pass = $_POST["new_password"];   $conn ("localhost", "root", "") or die ("Sorry - unable to connect to MySQL database.");   $rs ("admin", $conn) or die ("error");   $sql = "INSERT INTO user (username, password) VALUES ('$new_user', '$new_pass')";   mysql_query($sql,$conn) or die ("User creation failed.");   echo "<p>User created successfully.</p>";   echo "<p>Return to <a href='protected.php'>application</a> or <a href='login.php'>log out</a></p>"; ?> </body> </html>

31 What is wrong? The security is appalling!
We have stored the user names and passwords in clear text Investigate SHA

Download ppt "PHP: Login FdSc Module 109 Server side scripting and Database design"

Similar presentations

PHP SQL. Connection code:- mysql_connect(server, username, password); Connect to the Database Server with the authorised user and password. Eg $connect.

PHP SQL. Connection code:- mysql_connect("server", "username", "password"); Connect to the Database Server with the authorised user and password. Eg $connect.
NMED 3850 A Advanced Online Design February 25, 2010 V. Mahadevan.

NMED 3850 A Advanced Online Design February 25, 2010 V. Mahadevan.
Faculty of Sciences and Social Sciences HOPE User Sessions & The Include Statement Stewart Blakeway FML 213

Faculty of Sciences and Social Sciences HOPE User Sessions & The Include Statement Stewart Blakeway FML 213
PHP Scripts HTML Forms Two-tier Software Architecture PHP Tools.

PHP Scripts HTML Forms Two-tier Software Architecture PHP Tools.
15. User Authentication, Form Validation, Paging. M. Udin Harun Al Rasyid, S.Kom, Ph.D

15. User Authentication, Form Validation, Paging. M. Udin Harun Al Rasyid, S.Kom, Ph.D
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
Website Security ISYS 475. Authentication Authentication is the process that determines the identity of a user.

Website Security ISYS 475. Authentication Authentication is the process that determines the identity of a user.
Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.

Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.
INTERNET APPLICATION DEVELOPMENT For More visit:

INTERNET APPLICATION DEVELOPMENT For More visit:
CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.

CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.
Create an online booking system (login/registration)

Create an online booking system (login/registration)
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
PHP Tutorial - Anas Jaghoub Chapter 2 Control Structures.

PHP Tutorial - Anas Jaghoub Chapter 2 Control Structures.
1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.

1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.
PHP and MySQL for Client-Server Database Interaction Chapter 10.

PHP and MySQL for Client-Server Database Interaction Chapter 10.
© 2003 By Default! A Free sample background from www.awesomebackgrounds.com Slide 1 Week 2  Free PHP Hosting Setup  PHP Backend  Backend Security 

© 2003 By Default! A Free sample background from Slide 1 Week 2  Free PHP Hosting Setup  PHP Backend  Backend Security 
SHOPPING CARTS CHAPTER 19. E-COMMERCE Typically, an e-commerce site will have public pages and admin pages.

SHOPPING CARTS CHAPTER 19. E-COMMERCE Typically, an e-commerce site will have public pages and admin pages.
SEU On-line Sales System Mark Davis Senior BS in Computer Science.

SEU On-line Sales System Mark Davis Senior BS in Computer Science.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.

COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
Introduction to MySQL Lab no. 10 Advance Database Management System.

Introduction to MySQL Lab no. 10 Advance Database Management System.

Similar presentations

Ads by Google