PHP Login form with HTML form

Question

Im trying to create a login form. THis is my HTML form code

<html> 
<head>
<title>Login</title>
<link rel="stylesheet" type="text/css" href="style.css" />
</head>
<body>
<div class="container login">
<form action="login.php" method="post" class="form-signin" id = "login_form" >
<h2 class="form-signin-heading">User Login</h2>
<input type="text" name="username" size="20" placeholder="Username">
<input type="password" name="password" size="20" placeholder="Password"></br>
<input type="submit" value="Log In" class="btn btn-large btn-primary">
<a href="signup.html">Sign Up</a>        
</form>
</div>
</body>
</html>
<?php
}
?>

and this is my php code

<?php
    if (isset($_POST) && !empty($_POST)) {
        session_start();
        //connecting to the database
        include("config.php");

        //Storing username in $username variable.
        $username = mysql_real_escape_string(stripslashes($_POST['username']));

        //Storing password in $password variable.
        $password = mysql_real_escape_string(stripslashes(md5($_POST['password'])));


        $match = "SELECT id FROM $table WHERE username = '" . $username . "' and password'" . $password . "';";

        $qry = mysql_query($match);

        $num_rows = mysql_num_rows($qry);

        if ($num_rows <= 0) {

            echo "Sorry, there is no username $username with the specified password.";

            echo "Try again";

            exit;

        } else {

            $_SESSION['user'] = $_POST["username"];
            header("location:index.html"); // Page to redirect user after login.
        }
    } //else{}
?>

Ive inserted 'mark99' username and '1234' password into thedatabase however it keeps giving my an error saying the username doesn't exists. Any ideas?

Answer 1

Just for the sake of headstuff (so you'll have an idea as to why Fred -ii- said not to use this code) - I'm going to somewhat take this apart, in order, as I go through it (it's not a personal dig at the person posing the question - but just to give an idea that trying to build a halfway secure application on the LAMP stack requires a little bit of care and forethought ... and bloody-minded cynicism paired with assuming the worst in humanity helps):

---

Point 1

Not a biggy - but really if you're going to start a session you should start a session irrespective as to whether there's $_POST data or not. You should probably require your config file and start the session at the top before anything else.

Not a terminal error (as you've no session validation) - just weird.

---

Point 2

You've got output in this file (echo) therefore it must be under the document root and available in the web tree.

include("config.php");

This isn't really written properly it should probably be require_once 'config.php'; (assuming it's a required program file and not an optional include that can be allowed to fail) but that's not the error. The error is that you've got your config file inside your document root. A server misconfiguration or simple typo in that file could, theoretically, allow the contents of that file to be output to the screen in plain text, potentially revealing your database connection strings (and who knows what else) to world + dog.

Configuration files should exist outside of the web tree or, failing that, inside a directory protected with something like .htaccess Deny from all. They should never be accessible over HTTP.

---

Point 3

The mysql library is deprecated and shouldn't be used at all; MySQLi or PDO are the way to go, ideally with bound parameters/values:

http://uk3.php.net/PDO

http://uk3.php.net/mysqli

Personally I'd got for PDO.

---

Points 4 & 5

$password = mysql_real_escape_string(stripslashes(md5($_POST['password'])));

First off, the order of this is wrong. You're hashing $_POST['password'] and then attempting to stripslashes - there won't be any slashes once it's been hashed. However if you're trying to prevent people from using slashes (or whatever) in passwords you'd need to remove them before hashing the string.

Next md5 shouldn't be used as a password hashing algorithm it has been found to be weak and can be brute forced to create string collisions far more frequently than it should.

Yes, you should only store hashes or "fingerprints" of the passwords rather than the passwords themselves but, ideally you want to salt and hash (with at least sha1) those passwords rather than simply throwing them into an md5() function.

See: http://uk3.php.net/mcrypt for instance

And do a search on "password salting hashing" using your search engine of choice.

---

Point 6

SELECT id FROM $table 
WHERE username = '" . $username . "' 
and password = '" . $password . "';

I added in the = that was missing from the original question, but still, don't match on username and password in your query ... if someone managed to get an SQL injection into your username the password would never be checked. Imagine:

SELECT user.id 
FROM user WHERE user.username = 'fred' OR 1 = 1 
-- AND user.password = 'abc123'

It's better to select the user id and password fingerprint from the database and then evaluate the password in the application rather than to trust a password check in the database layer. It also means you can use a dedicated hashing and salting algorithm in the application itself to validate your passwords.

---

Point 7

$_SESSION['user'] = $_POST["username"];

This is merely storing the username in the session? This in no way should be used as a "login verifier" especially as there's (apparently) nothing in your session to prevent hijacking.

The session id could easily be sniffed from the cookie of a live session and that's all that would be required to "borrow" someone else's login. You should at least attempt to mitigate the chance of the session being hijacked by associating the user's IP address, UserAgent string or some other combination of relatively static data that you can compare against on every page... there are drawbacks to practically any approach though (especially, as I've found, if you've got visitors using AOL) - but you can make a probably 99+% effective session fingerprint to mitigate hijacking with very little chance of the user's session being erroneously dumped.

Ideally you may also want to create a token for the session to mitigate CSRF attacks when the user needs to perform a "privileged" action on the database (update their details or whatever). The token could be an utterly random and unique code stored in the database and/or in an SSL cookie when the user logs in (assuming the user can't perform any action that updates the database outside of HTTPS as that would just transmit the data in clear text across the Internet - which would be a bad idea).

The token is put into a hidden form field for any/all forms and checked against the value stored in the cookie (or session or database) whenever that form is submitted. This ensures that the person submitting the form has a live session on your website at least.

Answer 2

you said you have inserted 1234 as password in table right??

and in

$password = mysql_real_escape_string(stripslashes(md5($_POST['password']))); 

you are hasing the password mean it will not be 1234 any more in $password variable that's why its giving error.

either remove the md5() or insert the md5 value of 1234 in table

Answer 3

There may be a couple of issues causing this.

Firstly on your $match statement you are missing an equals operator by password:

This:

$match = "SELECT id FROM $table WHERE username = '".$username."' and password'".$password."';";

Should be this:

$match = "SELECT id FROM $table WHERE username = '".$username."' and password = '".$password."';";

Secondly are you inserting the password into the database after hashing it using md5?

If not then your query is trying to match md5(password) against password.