User Personalization with PHP:
User Login

Sr Instructional Designer D2L-Moodle,Clearance
WSI Nationwide, Inc.
US-NJ-Fort Monmouth

In this article, we will be looking at the login page of the application. This is the first page that any user wanting to use our application is going to be faced with and the most important one in this section. This script does the very important job of authenticating a user and can make or break the application in the sense that if it is weak security wise, then any attacker can easily penetrate our application and cause damage. In this case, we will try to make it as difficult as possible for attackers to break our application. Some of the things that we are going to do to strengthen our application is to enforce data validation and make sure that we also put some measures in place to stop SQL injection.

The Login Script

The login script plays a very important role in this application. It is responsible for authenticating and keeping track of the user. Without this page any user will simply be able to store any bookmark and there will be no order, in the sense that when a user wants to view her bookmarks she will see everybody else's bookmarks at the same time because she will not have her bookmarks grouped under her name. In addition to authenticating users, the login script also starts a session for each user that it authenticates successfully, to keep track of this particular user. It creates a number of session variables that will eventually be used by other scripts. The script also runs a verification code that keeps automated robot logins at bay. Below is a screenshot of the script followed by the code:

See Figure 1

The code for the script is very large and contains a mixture of PHP and HTML, so I will list it section by section:

<?php
//start the session
include('../connect.php');

//check if the form has been submitted
if(isset($_POST['submit'])){
$msg="";

//VALIDATE form information
if(empty($_POST['uname'])){
$msg="Please enter your username.";
}

if(empty($_POST['upass'])){
$msg .="Please enter your password.";
}

if(empty($_POST['number'])){
$msg="Please enter a verification code.";
}

//check length of password
if(strlen($_POST['upass']) > 6){
$msg .="Invalid password.";
}

if(empty($msg)){
//check if the numbers match
if(md5($_POST['number']) == $_SESSION['randval']) {

$sql = "SELECT uid,uname,level,email FROM users WHERE uname ='".$_POST['uname']."'";
$sql .= "AND upass ='".md5($_POST['upass'])."' AND actcode ='".md5(1)."'";

if(!$res = mysql_query($sql)){
$msg.=mysql_error();
}else{
//user exists in system, set the session variables
if (mysql_num_rows($res) == 1) {

while($row = mysql_fetch_assoc($res)){
         // the user name and password match,
         $_SESSION['id'] = $row['uid'];
  $_SESSION['uname'] = $_POST['uname'];
  $_SESSION['level'] = $row['level'];
  $_SESSION['email'] = $row['email'];
  $_SESSION['randval'] = "";
         //Now go to the main page
          header('location: ../main.php');
}
}else{
$msg = "Your login details did not match";
}//end numrows check
}//end res check
}else{
$msg = "The verification codes do not match, please check and try again";
}
}//end $msg check
}//end submit check
?>

The code above is perhaps the most important on the page since it is responsible for verifying a user's credentials and interacting with the database, where the user details are stored. Let's take a look at the code. The very first thing the script does is to include the connect.php script. This script contains the database connection details that we need to connect to a MYSQL database; it also starts a session for the user:

We check if the form has been submitted and set some variables:

//check if the form has been submitted if(isset($_POST['submit'])){ $msg="";

The $msg variable is used to record any error messages that we may encounter, and is used throughout this script. As an improvement, try to use a form variable to check if the form has been submitted instead of the submit button as I did here. By using a form variable the user has more choice, in the sense that the form will be submitted whether they press the RETURN button on the keyboard or click on the submit button of the form. Once the form has been submitted all the posted information will be available for us to use, but it will also be available for attackers to use. Therefore, we need to do some data validation to make it as difficult as possible for attackers to break our application. Since we require all the fields to be filled in, we need to do three things:

Check that all form fields are filled in
Check that the form data is of the right type
Check that form data is of the right length, i.e. passwords should be eight characters long, etc.

We know that the user needs to submit the username, password and a verification code. Therefore, we check if the form variable is empty and if so, we set an error message:

Then we check to see if the form variable(s) are of the right length:

Note that for security reasons we set a vague error message such as "Invalid password" instead of something more informative such as "Incorrect password length". This is simply to confuse any attacker.

Once we've validated the form variables, we use our flag variable $msg to check if any errors occurred during form validation. If not, we continue to check if the user submitted password and username exists in our database, and if the account is active. We start by checking if the number code entered by the user is the same as the one shown on the form:

If the number codes match, the code connects to the database to verify the user:

If the user checks out, we need to set the session variables. These include:

user ID- Will be used to determine which parts of the application a user can access
username - Will be displayed on all pages
level - Determines the access level of the user
email - Sets the user email address

Here's how the above information is collected:

If the user details did not match, the following error is displayed:

If the number codes do no match then the following error message is shown:

The HTML Form

The HTML page presents the user with a form that collects the following fields:

Username - Collects the user name
Password-Collects the password
Number Code- Collects the number code

The page also provides the user with links to the registration and password scripts. It has the following code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<title>Personalization::Authentication</title>

<link href="../Templates/nbm.css" rel="stylesheet" type="text/css" />
</head>

<body>
<table width="100%" border="0" cellpadding="0" cellspacing="0" class="brdr">
  <tr>
    <td class="header">The Online BookMark System </td>
  </tr>
  <tr>
    <td>
	 <form name="form1" method="post" action="login.php" onSubmit="return checkform(this)">
        <table width="81%"  border="0" align="center" cellpadding="0" cellspacing="3">
          <tr>
            <td colspan="3">Login Status:<br /><?php
			
			 if(!empty($msg)){
                        echo "Following errors occurred:<br><b>".$msg."</b><br>";
                        }
						
						
						
						?></td>
          </tr>
          <tr>
            <td width="87">Username</td>
            <td width="300"><input name="uname" type="text" id="uname" size="50" value="<?php 
			if(isset($_POST['uname'])){
			echo $_POST['uname'];
			}
			
			?>"></td>
            <td width="224"><input type="hidden" name="login" /></td>
          </tr>
          <tr>
            <td>Password</td>
            <td><input name="upass" type="password" id="upass" size="50" value="<?php 
			if(isset($_POST['upass'])){
			echo $_POST['upass'];
			}
			
			?>"></td>
            <td class="passcheck"><a href="forgot_pass.php">Forgotten your password?</a>|<a href="register.php">Register</a> </td>
          </tr>
		  <tr>
<td width="87">Enter Number</td>
<td><input name="number" type="text" id="number">
  <font class="bgrnd"><?php echo rangen();?></font>

<span class="smallscript">Case sensitive</span> </td>
<td></td>
</tr>

There are two things worth explaining regarding this page; first is that the form is 'sticky.' In other words, whatever the user types in will remain, even if the page is refreshed, the following code ensures this:

The PHP code inside the HTML form elements retrieves the password and username that the user entered previously. Secondly, the form also has the capability to show error messages:

The code above is also included in the form and prints out all error messages that the script encounters while validating the user.

[next]