0

Please note that i'm completely new to php and mysql, for now i have a fully working registration and login system.

my mysql table looks like this: id username email password ip

I want to save users ip on every login, and if ip has changed to auto log him out, so if he logins again, new ip will be updated in database.

This is my server.php

<?php
session_start();

// initializing variables
$username = "";
$email    = "";
$errors = array(); 

// connect to the database
$db = mysqli_connect('localhost', 'root', '', 'registration');

// REGISTER USER
if (isset($_POST['reg_user'])) {
  // receive all input values from the form
  $username = mysqli_real_escape_string($db, $_POST['username']);
  $email = mysqli_real_escape_string($db, $_POST['email']);
  $password_1 = mysqli_real_escape_string($db, $_POST['password_1']);
  $password_2 = mysqli_real_escape_string($db, $_POST['password_2']);

  // form validation: ensure that the form is correctly filled ...
  // by adding (array_push()) corresponding error unto $errors array
  if (empty($username)) { array_push($errors, "Username is required"); }
  if (empty($email)) { array_push($errors, "Email is required"); }
  if (empty($password_1)) { array_push($errors, "Password is required"); }
  if ($password_1 != $password_2) {
 array_push($errors, "The two passwords do not match");
  }

  // first check the database to make sure 
  // a user does not already exist with the same username and/or email
  $user_check_query = "SELECT * FROM users WHERE username='$username' OR email='$email' LIMIT 1";
  $result = mysqli_query($db, $user_check_query);
  $user = mysqli_fetch_assoc($result);
  
  if ($user) { // if user exists
    if ($user['username'] === $username) {
      array_push($errors, "Username already exists");
    }

    if ($user['email'] === $email) {
      array_push($errors, "Email already exists");
    }
  }

  // Finally, register user if there are no errors in the form
  if (count($errors) == 0) {
   $password = md5($password_1);//encrypt the password before saving in the database

   $query = "INSERT INTO users (username, email, password) 
       VALUES('$username', '$email', '$password')";
   mysqli_query($db, $query);
   $_SESSION['username'] = $username;
   $_SESSION['success'] = "You are now logged in";
   header('location: index.php');
  }
}

// ... 
// ... 

// LOGIN USER
if (isset($_POST['login_user'])) {
  $username = mysqli_real_escape_string($db, $_POST['username']);
  $password = mysqli_real_escape_string($db, $_POST['password']);

  if (empty($username)) {
   array_push($errors, "Username is required");
  }
  if (empty($password)) {
   array_push($errors, "Password is required");
  }

  if (count($errors) == 0) {
   $password = md5($password);
   $query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
   $results = mysqli_query($db, $query);
   if (mysqli_num_rows($results) == 1) {
     $_SESSION['username'] = $username;
     $_SESSION['success'] = "You are now logged in";
     header('location: index.php');
   }else {
    array_push($errors, "Wrong username or password combination");
   }
  }
}

?>
MrGyt
  • 39
  • 6
  • You're not using this online right now, are you? It's not safe at all. – Funk Forty Niner Sep 15 '18 at 13:59
  • 1
    Welcome to Stack Overflow. **Security tip:** NEVER store passwords in databases unless they are hashed correctly. Please read this. http://php.net/manual/en/faq.passwords.php MD5 as a secure hash was cracked a decade ago. – O. Jones Sep 15 '18 at 14:25
  • https://stackoverflow.com/questions/2179520/whats-the-best-way-to-do-user-authentication-in-php – Pedro Lobito Sep 15 '18 at 16:06

1 Answers1

2

Once a user logs in, you are probably using a php session for each user. Here's an example of how to do that. Using sessions & session variables in a PHP Login Script

To meet your need, you can stash the IP address in the session from the login page, like so.

$_SESSION['ip'] = $_SERVER['HTTP_X_FORWARDED_FOR'] 
             ? $_SERVER['HTTP_X_FORWARDED_FOR']
             : $_SERVER['REMOTE_ADDR'];

Then on other pages you can do this to detect the ip change.

$ip = $_SERVER['HTTP_X_FORWARDED_FOR'] 
             ? $_SERVER['HTTP_X_FORWARDED_FOR']
             : $_SERVER['REMOTE_ADDR'];
if (isset($_SESSION['ip']) && $ip != $_SESSION['ip']) {
    session_destroy();
    /* redirect to your login pagge */ 
}

Some points:

  1. Make sure session strict mode is set on your php server so session_destroy() is effective.

  2. Beware: A user's IP address can, legitimately change during an active session: DHCP can change an address without the user knowing it. Rare, but it happens.

  3. If your users are in institutions (businesses) many of them will appear to have the same IP address: what your web site sees is the IP address of their shared gateway to the Internet.

So, paying a lot of attention to the IP addresses of users is a little dodgy.

O. Jones
  • 103,626
  • 17
  • 118
  • 172