Very Good Tutorial Vegeta, I wont be using it because i have my own but read through it and looks nice and secure.
|
|
04-22-2008, 09:13 AM
Credit Goes To Scott From [Only registered and activated users can see links. ] for this tutorial
In this tutorial I will explain how you can make your own PHP Login Script using a MySQL database. This includes a register, login, and member page.
1. First you need to create the database and to store your users information. If you have already done so then you should skip to step two. To create the database you may have to use a MySQL admin administrater because some host's don't always support it being done from a script. So create a database if you haven't already done so..
2. Now that we have a database or if we already had one then we need to setup the table and columns to store our users information. So you can use this code to setup the columns and you can fine tune it to customize your site.
[PHP]
<?php
// set your infomation.
$dbhost='localhost';
$dbusername='username';
$dbuserpass='password';
$dbname='database';
// connect to the mysql database server.
mysql_connect ($dbhost, $dbusername, $dbuserpass);
//select the database
mysql_select_db($dbname) or die('Cannot select database');
//create the table, customize it if you want
$query = 'CREATE TABLE users(
id INT NOT NULL AUTO_INCREMENT,
PRIMARY KEY(id),
username VARCHAR(30) NOT NULL,
password VARCHAR(20) NOT NULL,
email VARCHAR(40) NOT NULL)';
$result = mysql_query($query);
echo "Table Created!";
?>
[/PHP]
Lets break this code down.
CREATE TABLE users - makes a table called users in the database.
id Int NOT NULL Auto_INCREMENT - Makes an int column called "id" that will increase by 1 for each entry.
PRIMARY KEY(id) - Makes "id" primary, so it is used as an index.
username VARCHAR(30) - Makes a column called "username" that is VARCHAR which can hold almost any character. The (30) means it can't be any larger than 30.
password VARCHAR(20) - Makes a column called "password" that is also VARCHAR and its maximum length is 20.
email VARCHAR(40)- Makes a column called "email" which is also VARCHAR but its maximum length is 40.
mysql_query($query) - Run the MySQL query to create the table.
echo "Table Created!"; - Print "Table Created!" on the screen.
3. Now we have our database setup, on to the next part, register,login, and index. I will start with a simple register page for the users to insert their username, password, and email.
Heres register.php
[PHP]<center> <?php // set your infomation.
$dbhost='localhost';
$dbusername='username';
$dbuserpass='password';
$dbname='database'; // connect to the mysql database server. mysql_connect ($dbhost, $dbusername, $dbuserpass);
mysql_select_db($dbname) or die("Cannot select database"); //Are they just getting here or submitting their info?
if (isset($_POST["username"])) { $username = $_POST["username"]; $password = $_POST["password"]; $cpassword = $_POST["cpassword"]; $email = $_POST["email"]; //Was a field left blank? if($username==NULL|$password==NULL|$cpassword==NUL L|$email==NULL) { echo "A field was left blank."; }else{ //Do the passwords match? if($password!=$cpassword) { echo "Passwords do not match"; }else{ //Has the username or email been used?
$checkuser = mysql_query("SELECT username FROM users WHERE username='$username'");
$username_exist = mysql_num_rows($checkuser); $checkemail = mysql_query("SELECT email FROM users WHERE email='$email'"); $email_exist = mysql_num_rows($checkemail); if ($email_exist>0|$username_exist>0) { echo "The username or email is already in use"; }else{ //Everything seems good, lets insert.
$query = "INSERT INTO users (username, password, email) VALUES('$username','$password','$email')";
mysql_query($query) or die(mysql_error()); echo "The user $username has been successfully registered."; } } } } ?>
<h1>Register</h1>
<form action="register.php" method="POST"> <table style="border:1px solid #000000;"> <tr> <td align="right">
Username: <input type="text" size="15" maxlength="25" name="username"> </td> </tr> <tr> <td align="right">
Password: <input type="password" size="15" maxlength="25" name="password"> </td> </tr> <tr> <td align="right">
Confirm Password: <input type="password" size="15" maxlength="25" name="cpassword"> </td> </tr> <tr> <td align="right"> Email: <input type="text" size="15" maxlength="25" name="email"> </td> </tr> <tr> <td align="center"> <input type="submit" value="Register"> </td> </tr> <tr> <td align="center"> <a href="login.php">Login Here</a> </td> </tr> </table> </form> </center>
} } ?> <h1>Register</h1> <form action="register.php" method="POST"> <table style="border:1px solid #000000;"> <tr> <td align="right"> Username: <input type="text" size="15" maxlength="25" name="username"> </td> </tr> <tr> <td align="right"> Password: <input type="password" size="15" maxlength="25" name="password"> </td> </tr> <tr> <td align="right"> Confirm Password: <input type="password" size="15" maxlength="25" name="cpassword"> </td> </tr> <tr> <td align="right"> Email: <input type="text" size="15" maxlength="25" name="email"> </td> </tr> <tr> <td align="center"> <input type="submit" value="Register"> </td> </tr> <tr> <td align="center"> <a href="login.php">Login Here</a> </td> </tr> </table> </form> </center>
[/PHP]
Lets review this code.
$username = $_POST["username"]; - Get the POST variables and register them with local variables. The two variables below it do the same.
if($username==NULL|$password==NULL|$cpassword==NUL L|$email==NULL) - Check if any of the fields were left blank. This is the beginning of our chain of "if" statements.
if($password!=$cpassword) { - If the password is the same as confirm password.
mysql_query("SELECT username FROM users WHERE username='$username'"); - Check if the username is already in use, it also does the same for the email.
mysql_num_rows($checkuser) - Turns the result into a number which means how many rows it selected, $checkemail also does this.
if ($email_exist>0|$username_exist>0) { Check if the email or username is in use.
The rest is inserting the values and the HTML design.
4. Now that we have our register page and the database set up we can test out our register page. If you have a different name for the columns then what I had at the top then you will have to go through the scripts changing the MySQL queries. Otherwise when you register it should return 'The user $username has been successfully registered.'
Very Good Tutorial Vegeta, I wont be using it because i have my own but read through it and looks nice and secure.
To help out others.Originally Posted by DHAReauxK
Thanks for posting anyways.
Copy and pasting sh*tty php work is not helping anyone.To help out others.
Thanks for posting anyways.
By the way, I'm not sure what the hell Vegeta was thinking when he posted this thread.
Let me point out a few things here.
- This is a REGISTER script, not a Login script.
- There are two lines that are repeated in this script.
- The programming of this script is horrible.
- You can enter ANYTHING for an e-mail, including an SQL injection.
- There were at least five errors I found.
Here's the same code, properly spaced and fixed.
[php]<center>
<?php
// Setup your MySQL information.
$dbhost = 'localhost';
$dbusername = 'username';
$dbuserpass = 'password';
$dbname = 'database'; // connect to the mysql database server.
mysql_connect($dbhost, $dbusername, $dbuserpass);
mysql_select_db($dbname) or die("Database not found!");
// Are they just getting here or submitting their info?
if(isset($_POST['username'])){
$username = $_POST['username'];
$password = $_POST['password'];
$cpassword = $_POST['cpassword'];
$email = $_POST['email'];
//Was a field left blank?
if($username == NULL || $password == NULL || $cpassword == NULL || $email == NULL){
echo "A field was left blank.";
} else {
// Do the passwords match?
if($password != $cpassword){
echo 'Your confirmation password didn\'t match your password!';
} else {
// Has the username or email been used?
$checkuser = mysql_query("SELECT username FROM users WHERE username='$username'");
$username_exist = mysql_num_rows($checkuser);
$checkemail = mysql_query("SELECT email FROM users WHERE email='$email'");
$email_exist = mysql_num_rows($checkemail);
if ($email_exist > 0 && $username_exist > 0){
echo "The username or email is already in use";
} else {
//Everything seems good, lets insert.
$query = "INSERT INTO users (username, password, email) VALUES('$username','$password','$email')";
mysql_query($query) or die(mysql_error());
echo "The user $username has been successfully registered.";
}
}
}
}
?>
<h1>Register</h1>
<form action="register.php" method="POST">
<table style="border:1px solid #000000;">
<tr><td align="right">Username: <input type="text" size="15" maxlength="25" name="username"></td></tr>
<tr><td align="right">Password: <input type="password" size="15" maxlength="25" name="password"></td></tr>
<tr><td align="right">Confirm Password: <input type="password" size="15" maxlength="25" name="cpassword"></td></tr>
<tr><td align="right">Email: <input type="text" size="15" maxlength="25" name="email"></td></tr>
<tr><td align="center"><input type="submit" value="Register"></td></tr>
<tr><td align="center"><a href="login.php">Login Here</a></td></tr>
</table>
</form>
</center>[/php]
Please don't use this script though, I suggest to those who want to make a GOOD register script, use regex on it to get rid of obscure e-mails that aren't actually e-mails. Have your users get sent an e-mail as well.
~Z
I was gonna point that out zach, you saved me time. As zach said make it find invalid emails and usernames.
thanks alot for this vegeta!
Should make it vertify emails.
Thats a fairly simple system, and its vulnerable to SQL Injection. With the right code, and assuming that the user your script logins to the MySQL server with has been granted enough rights, I could completely erase your database.
| « Block Html injection in forms [noob] | RuneScape stat signature script (with search) » |
| Thread Information |
Users Browsing this ThreadThere are currently 1 users browsing this thread. (0 members and 1 guests) |