TalkPHP

TalkPHP (http://www.talkphp.com/forums.php)
-   Advanced PHP Programming (http://www.talkphp.com/advanced-php-programming/)
-   -   Login / Register Class - Help! (http://www.talkphp.com/advanced-php-programming/5074-login-register-class-help.html)

evstevemd 10-30-2009 04:24 PM
Login / Register Class - Help!
 
Hi All,
I'm making my Own CMS. As per level I consider myself an intermediate Programmer. I would like you guys to guide me to make very secure PHP register/Login class. I want to implement most of my system in OOP.

So far I have read many tutorial but they are for begginers and aren't great except for learning (I appreciate their efforts). I want to learn it and at same time proceed with my project.

Sorry If I'm not clear, I'm not Englandee :-P

Tanax 10-30-2009 06:09 PM
Why don't you start and post it here and we'll tell you if we find something that can be improved? :-)

evstevemd 10-31-2009 06:15 PM
Here we Go!
Help me to improve :)

class.php
Code:
<?php
//php login sytem
class LoginRegister{
 function __construct(){
}

function displogin($status){
if ($status == "login"){
        // post login page
        $enc = base64_encode('login');
        $html = <<<LOGIN
        <form action = $_SERVER[PHP_SELF]?do=$enc, method = POST>
                <p>Username: <input type=text name = username /></p>
                <p>Password: <input type=password name = password /></p>
                <input type=submit value=Login />
        </form>
LOGIN;
                echo $html;
}//end if

else if ($status == "register"){
        //post register page
        $enc = base64_encode('register');
        $html = <<<LOGIN
        <form action = $_SERVER[PHP_SELF]?do=$enc, method = POST>
                <p>Username: <input type=text name = username /></p>
                <p>Password: <input type=password name = password /></p>
                <input type=submit value=Register />
        </form>
LOGIN;
                echo $html;
}// end elese if


}

function auth($username, $password){
        $sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password' ";
        $res  = mysql_query($sql) or die(mysql_error());
        if (mysql_num_rows($res)==1){
        echo "sucessful logged in as ". $username;
        }//end if
        else{
                echo "<p style = 'color:red; font-weight:bold;'>Username or password not correct.
                <br /> New? Register!</p>";
                $this->displogin('register');
        }// end else
}


function checkempty($username, $password, $mode){
        if (empty($username) or empty($password)){
        echo "<p style = 'color:red; font-weight:bold;'>Empty Values are not allowed</p>";
        $this->displogin('login');
        }//end if
        else{
        //do checking
        switch($mode){
                case 'login':
                $this->auth($username, $password);
                case 'register':
                $this->adduser($username, $password);
                default:
                        echo "<p style = 'color:red; font-weight:bold;'>Wrong Values are not allowed</p>";
                        $this->displogin('login');
                }//end switch
        }//end else
}

function login($uname, $passwd){
        //username
        $username = stripslashes($uname);
        $username = mysql_real_escape_string($uname);
        //passsword       
        $password = stripslashes($passwd);
        $password = mysql_real_escape_string($passwd);
        //check for empty variables
        $this->checkempty($username, $password, 'login');       
}
       
function register($uname, $passwd){
        //username
        $username = stripslashes($uname);
        $username = mysql_real_escape_string($uname);
        //passsword       
        $password = stripslashes($passwd);
        $password = mysql_real_escape_string($passwd);
        //check for empty variables
        $this->checkempty($username, $password, 'register');       
}
       
function adduser($username, $password){
        $sql = "INSERT INTO users(username, password) VALUES('$username', '$password')";
        //redirect to login page
        echo "<p style = 'color:green; font-weight:bold;'>Thanks for registering. You can now login</p>";
        $this->displogin('login');
        mysql_query($sql) or die(mysql_error());
}

}//end class
?>
index.php
Code:
<?php
require "class.php";
$obj = new  LoginRegister();
$conn = mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("admin", $conn)or die(mysql_error());
if ((isset($_GET['do']))){
        if (($_GET['do'])==(base64_encode('login'))){
        $obj->login($_POST['username'], $_POST['password']);
        }//end middle first if
        else if(($_GET['do'])== (base64_encode('register'))){
                $obj->register($_POST['username'], $_POST['password']);
        }
        else{
                echo "<p style = 'color:red; font-weight:bold;'>Please Login</p>";
                $obj->displogin('login');       
                //debug
                echo base64_encode('login').'<br />';
                echo $_GET['do'];
        }//end else middle
       
}//end last if
else{
        echo "<p style = 'color:green; font-weight:bold;'>Please Login</p>";
        $obj->displogin('login');       
}//end else
?>

evstevemd 11-01-2009 11:13 AM
Bump Bump Bump 8-)

eStrategy 11-09-2009 12:24 PM
You should create a cookie for the session so the user dosnt have to keep logging on everytime they open the browser.

Aren't you planning to hash the passwords?

I would do a check to see if the user is already logged on before allowing them to see the logon form again.

Jarod B 12-25-2009 12:11 AM
I suggest you not using HTML in your code, instead making it more loose and reusable for future purposes. Like this one I created for a fansite I'm working on:

Code:
<?php
require_once(dirname(__FILE__) . "/class.mysql.php");

class memberhandler extends mysql {
        private $table = "members";
        private $sql;
       
        private $default_member_type = "Member";
       
        public function create_table() {
                $this->sql = "
                CREATE TABLE IF NOT EXISTS ". $this->table ."(
                        members_id INT(11) NOT NULL AUTO_INCREMENT,
                        members_username VARCHAR(12) NOT NULL,
                        members_password VARCHAR(24) NOT NULL,
                        members_rsname VARCHAR(12) NOT NULL DEFAULT 'Unknown',
                        members_membertype VARCHAR(255) NOT NULL DEFAULT '". $this->default_member_type ."',
                        PRIMARY KEY (members_id)
                );";
               
                return mysql::query($this->sql);
        }
       
        public function total_members() {
                $this->sql = mysql::select($this->table, "members_id");
               
                return mysql::num_rows($this->sql);
        }
       
        public function register_member($username, $password, $rsname, $member_type) {
                $this->sql = mysql::insert($this->table, array("$username", "$password", "$rsname", "$member_type"), "members_username, members_password, members_rsname, members_membertype");
               
                return $this->sql;
        }
       
        public function verify_member($username, $password) {
                $this->sql = mysql::select($this->table, "members_username, members_password", "members_username='". ucwords($username) ."' AND members_password='". $password ."'");
                $count = mysql::fetch_array($this->sql);
               
                if($count >= 1) { // returns true
                        return true;
                } else {
                        return false;
                }
        }
       
        public function member_username($username) {
                $this->sql = mysql::select($this->table, "members_username", "members_username='$username'");
                $count = mysql::num_rows($this->sql);
               
                if($count >= 1) {
                        while($row = mysql::fetch_array($this->sql)) {
                                $user = $row['members_username'];
                               
                                return ucwords($user);
                        }
                } else {
                        return false;
                }
        }
       
        public function member_type($username) {
                $this->sql = mysql::select($this->table, "members_username, members_membertype", "members_username='$username'");
               
                $count = mysql::num_rows($this->sql);
                if($count >= 1) {
                        while($row = mysql::fetch_assoc($this->sql)) {
                                $member_type = $row['members_membertype'];
                               
                                return ucwords($member_type);
                        }
                } else {
                        return false;
                }
        }
       
        public function rs_name($username) {
                $this->sql = mysql::select($this->table, "members_username, members_rsname", "members_username='$username'");
               
                $count = mysql::num_rows($this->sql);
               
                if($count >= 1) {
                        while($row = mysql::fetch_assoc($this->sql)) {
                                $rs_name = $row['members_rsname'];
                               
                                return ucwords($rs_name);
                        }
                } else {
                        return false;
                }
        }
}
?>
And here it is...in action via another function
Code:
        function total_members($non=null, $one=null, $more=null) {
                $member = new memberhandler();
                $total_str = $member->total_members();
               
                if( $member->total_members() == 1 ) {
                        $one = ( $one != null ) ? " ".$one : $one; // Check if param is being used
                       
                        $total_str .= $one;
                } else if($member->total_members() > 1) {
                        $more = ( $more != null ) ? " ".$more : $more; // Check if param is being used
                       
                        $total_str .= $more;
                } else {
                        $total_str .= $non;
                }
               
                print($total_str);
        }
And the actual use of this
Code:
<span id="date"><?php print(date("M.d.Y")); ?> | We have <b><?php total_members('no', 'member', 'members'); ?></b> with Trookine</span>

OUTPUT:
Dec.25.2009 | We have 1 member with Trookine


All times are GMT. The time now is 09:31 PM.

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0