I don’t like the use of javascript when alerting the user of an error. If it is being processed server-side, the errors should be processed sever side, and echo’d back to the user.
This script uses unvalidated form input data to perform a MySQL query. It would be extremely easy for a malicious user to launch a dangerous SQL injection attack.
This is a great start. But remember you will need to secure your scripts like Tom has mentioned against SQL injection attacks as well as others by validating the input.
I can’t get it to work. When i try to login the protectedpage.php and while the registration has been done, i keep getting the message “access denied”. What’s wrong?
Yeah, it works thx a lot. But I don’t understand why PASSWORD function is neccesary in the sql script. When 1 removed it from the code, it worked.
Excellent tutorials.
PASSWORD encrypts the password as it is inserted into the database. You can store the password unecrypted but it will be visible to admins who look at the database.
Re: SQL injection - any links to useful tutorials on how to protect from these kind of attacks. What extra code do we need to add to a script like this to add security against this type of attack.
Thanks,
Chris
To protect against SQL attacks I just did:
$VARIIBLE = mysql_real_escape_string(trim($POST))
Then inserted the varibles
(Trim isn’t needed but gets rid of any spaces at the ends while your at it)
As for the PASSWORD function I replaced it with a few md5 and sha1 encryptions for better security
Hi,
The script is excellent, but I don’t understand one thing. After you login as a successful user, the “accesscontrol.php” script appears to be blank. There should be some message which appears for a successful user. Moreover the “accesscontrol.php” script is also an include file. So this message should only appear on the page, which the user sees after logging in for h first time. Has anyone figured this out as yet?
Hi,
I know its a little late, but I had the same result as Gaurav. I don’t think the author ever intended that page to be used on its own. If you were to log into the protectedpage.php page, you will notice that you are logged in and greeted with a welcome message. Therefore, I believe the author intended it to be used as a processing script only. I did however find the lack of a logout feature dissapointing.
if you just want a logout page then you can always put a link that performs a session destroy and self, right?
Isn’t in necessary to sanitise user’s input into database?
how do i setup the database for this (there is no included sql file, please make it easy for beginners!!)?
One small flaw in the table creation (Page 3)…
-> password CHAR(16) NOT NULL,
The size of this field needs to be much larger, the encoded passwords created on my site (PHP version 4.4.8 & MySQL version 4.1.22)were over 40 characters long and it took me a while to figure out why I could never log in.
Increasing the size to 100 fixed the problem and it now works perfectly.
-> password CHAR(100) NOT NULL,
i did everything according to this tutorial but when i try to log in…it just tells me access denied and that i should click here to try again…
I don’t see any mention of how to close the database connection when finished.
This is great. Thanks a lot!
when i execute the signup.php file and click on the OK button i recieve the following message
“The site database is unavailable.”
You are getting the site database is unavailable because you have forgotten to change the name of the database set in this example to your own database name, make sure you change whatever he has in bold.
I have a problem too, i dont know if someone could help me out, im a newbie in Mysql but this example is quite useful, I made it run perfectly, I can actually register and my database shows everything perfect, userid, name, email, and encrypted password. Once i receive an email with an automatic password i try to login using the userid and the password sent to me by email… I cannot login, i get “Your user ID or password is incorrect, or you are not a registered user on this site”… I am being REALLY CAREFUL by the way, I have registered a bunch of users and have gotten different password and i am just not able to login, what could be the problem?
rafs: refer to Howitzer’s comment about the column not being initially big enough to save an encrypted password in the mysql database. Increase the column size to at least 100 or remove the PASSWORD encoding functionality from the line of code below:
From
password = PASSWORD(‘$newpass’),
to
password = ‘$_POST[newpass]’,
However this is not the most secure solution.
Every time I try to submit the form to create a new user I get "Object not found! Error 404.
Any ideas?