User Validation/Authentication in PHP

If a user visits a website, where he is asked for validating his username and password and will be validated with the MySQL Database. the following scripts demonstrate this.
Step 1: create a database called dummy by executing “create database dummy” in mysql command window or shell window
Step 2: Create a table called usertable with two fields ‘user’ and ‘pass’ and populate with some values.
create table usertable (user varchar(20), pass varchar(30));
insert into usertable values (’pradeep’,'pradeep’);

Step 3: write the following html script and name it as user.html
<form method=post action=user.php>
Enter the Username: <input type=text name=username> <BR>
Enter the password: <input type=password name=password> <BR>
<input type=submit>
</form>
Step 4: Write the following PHP script and name it as user.php
<?php
$user=$_POST['username']; //get the username from the previous page (html page)
$pass=$_POST['password']; //get the password from the previous page
$conn=mysql_connect(”localhost”,”root”,”abc123”) or die(”Connection Failed”. mysql_error());
mysql_select_db(”dummy”,$conn) or die(mysql_error());
$query=”Select * from usertable where user=’$user’ and pass=md5(’$pass’)”;
$result=mysql_query($query) or die(mysql_error());
$num = mysql_num_rows($result);//returns atleast 1 row if the username password combination is valid
echo $num;//display the number of rows returned
if($num != 0)
{
echo “Welcome Mr.$user, you are authenticated”;
}
else
{
echo “Username/password combination Failed”;
}
mysql_close($conn);
?>
The above script checks for the username and password combination, if the combination is success, then atleast one row will be returned, else the returned rows will be 0.

Comments

  1. PHP Authentication7 September 2009 at 16:27

    There are few security breaches in your example.

    First, you store plaintext passwords in database. This way they are visible to everyone who has database access. It is strongly advised that you store password hashes instead.

    Second, you should escape all user input strings before you include them in SQL queries. Without this, you are open to SQL injection attacks.

    Combine these two and you have really poor security on your web site.

    You can read more about these problems in the following article:
    http://bit.ly/BS2fO

    BTW, change the password in your mysql_connect function, this one is not politically correct. :-)

    ReplyDelete

Post a Comment

Popular Posts