HomePHP

PHP Login Script - FAQ

16 Sep 2002 — martin

Frequently asked and answered questions about the PHP login script and login scripts in general.

This is a list of questions that I have answered many times reguarding my Secure PHP Login Script (also available for download), Jester's Creating a Login Script with PHP 4, and Creating a Login Script with PHP 4 - Part II.

Note: I called my login script secure because it is more secure than the average PHP login scripts that are available. It is not 100% secure and I don't think there can be such a script at all - you have to choose between security and ease of use, portability, etc.

How to expire the logins in 30 minutes (for example)
Set session.gc_maxlifetime and session.cookie_lifetime to 1800.
How to redirect to another page after the user is logged in
Use header("Location: /foobar") before any output (or turn on output buffering)
Users without cookies cannot log in
For PHP versions before 4.2.0 recompile PHP with --enable-trans-sid, newer versions enable it by default. Then add session.use_trans_sid = on in your php.ini.
I get an already exists error when a user signs up
Modify your id column so that it is auto generated - use auto_increment for MySQL and serial for PostgreSQL.
How to get the IP of the visitor without the last part (the C class network)
Use the following code: 
$ip = explode('.', $_SERVER['REMOTE_ADDR']);
array_pop($ip);
$ip = implode('.', $ip);
How to generate a cookie for remember-me logins
Set $uid to the id of the current user and then execute the following code: 
$cookie = md5(uniqid(mt_rand(1, mt_rand_getmax())));
$cookie = serialize(array($uid, $cookie));

For versions of PHP before 4.2.0 you have to call mt_srand() before using the random number generator.

To send the cookie use setcookie(). Make sure you keep the cookie value in your database.

Note that in my article I have used the username instead of the id but as computers deal with numbers better than strings I recommend using the id.

How do I ensure that queries to the database are safe
Use $db->quote('value') where $db is a PEAR::DB instance or if you are using native MySQL functions mysql_escape_string(). If you deal with numbers always cast them explicitely: $value = (int) $value.
How do I ensure that user supplied information I display on the site is secure
Use htmlspecialchars() on the value to escape HTML code.
What does the session_id() function do
It returns the current session id or if it a new session the newly generated id.
I get an error that says I don't have DB.php
Download and install PEAR or ask your system administrator to do it for you, the packages you need to download are PEAR and DB. The files that are required by PEAR::DB are DB.php, PEAR.php, DB/common.php, and DB/mysql.php for MySQL database or another for your database respectively. Make sure that you add the PEAR installation directory to your include_path.
How do I change my PHP configuration
Read Make Your PHP Code Portable for a quick start, more detailed information can be found in the PHP manual.
Bookmark/Search this post with:

Comments

3 October 2002 - 9:18am — Guillem Català (not verified)

another way to save cookie string

if like me you can't understand the serialize thing u can try this. We make the string of the cookie and separate it with | char.
$cookie = $_SESSION['username']."|". $_SESSION['cookie'];
then in the _checkRemembered we uselist($username, $cookie) = explode("|",$cookie);
to get the vars back
it's another way

3 October 2002 - 10:58am — Martin Tsachev (not verified)

Suppress notices

Just to make sure you don't get any notices if you're using PHP with error_reporting set to E_ALL use this:
@list($username, $cookie) = explode('|', $cookie)
You'll need a check like !empty($username) too.

15 January 2003 - 9:41am — TC (not verified)

User & Password login

As I am not a pro-programmer, I was directed to you by a friend who said U will be glad to help.
Anyway, doesn´t your login script require all sorts off agreements with the admin´s server?
Or can it be easily integreted into a html document and subsequently uploaded?

22 January 2003 - 10:54am — Ravi Manda (not verified)

uri_self() in login.php and others - WORKS!

I fgured it out. Needed to include functions.php and global.php in login.php. I actually saw the user account form! I started learning PHP two days ago! Good Stuff! I havent done the whole thing yet, and might need some pointers as I go down the line. Thanks again!

30 April 2003 - 3:20am — php wiz (not verified)

cool login

I got it working after three days of errors. Configured and rearanged some of the code. Works a treat!

8 May 2003 - 5:37pm — BB (not verified)

This is now getting funny

May I suggest a clear description be written (because I have the same issue) about how, where and what needs to be in what directory in relation to htdocs on an apache server? and where does pear go and - geez there are such a snaggle of parts, but, I am a newbie and only desire clarity from those who know and have suffered before me.

30 July 2003 - 11:15am — XUhybrid (not verified)

An alternative site to this one!

http://www.evolt.org/article/comment/17/27093/
Good Luck. I know some and i can figure out the rest. If you find this useful, good for you! ;)
-Peace, Chris

20 August 2003 - 11:22am — Anonymous

check ip of aol user

How to get the IP of the visitor without the last part (the C class network)
Use the following code:
$ip = explode('.', $_SERVER['REMOTE_ADDR']);
array_pop($ip);
$ip = implode('.', $ip);
---
this does not work with aol 7.0. any ideas to get it to work?

4 September 2003 - 4:59am — ryan neri(pogi) (not verified)

what the hell...

grabe ang hrap.. ive used the code and it worked fine.. after a few days though.. hello to jobert and webmaster louie[KUPZ]..

19 March 2005 - 2:12pm — Alf (not verified)

I got the script to work. I have a server in my home. If I am log in on one computer and log in on a second computer using the same username and password, it log me off of the the first computer. Should it not let me log in on the second computer?

21 March 2005 - 3:05am — Martin Tsachev (not verified)

The script doesn't have a single login option, so it trashes the first login. That's something that is really dependand on who and how uses the code, some people would want a single login, others would want multiple simultaneous logins, others might want to cancel the first session on a second login. I've taken the last approach.

9 May 2005 - 2:00am — Dharam Paul (not verified)

It is nice work and all works very well. I am wondering if somebody add onblur validation function in this. Regards!!!!!!!!

22 July 2005 - 9:44am — Denza (not verified)

Im heving few errors and i dont know what to do please help... errrors are

Notice: Undefined index: REQUEST_URI in c:\inetpub\wwwroot\php-login-script\htdocs\lib\user.php on line 233

and

Warning: mail(): SMTP server response: 550 5.7.1 Unable to relay for dd28@uakron.edu in c:\inetpub\wwwroot\php-login-script\htdocs\functions.php on line 67

4 August 2005 - 6:43am — tgopala_krishna (not verified)

Dear friends, I am new to PHP.
I have installed login script. After joining myself, i received email with

" thank you for registering at demosite - http://www.example.org"

My problem is that, where can i change/configure the domain name? In which file Please tell. And also where can i put my secure site?

5 August 2005 - 12:32am — Martin Tsachev (not verified)

You can edit the contents of the email in the mail db table (the sql file) or if you have phpMyAdmin or direct connection to the db just issue an update sql statement.

3 April 2006 - 7:55pm — rockymaxsource (not verified)

Is that possible I can integrate this login script with some other applications. E,g. Moodle. Instead of using the log in script comes with Moodle I use this one.

Did anyone do this before? How do you think about it?

Thanks in advance!