Skip to main content
Code Review

Return to Question

replaced http://stackoverflow.com/ with https://stackoverflow.com/
Source Link

I'm trying to learn PHP/MySQL and the likes, so I've been reading tutorials for PHP login systems. My current iteration is based heavily on one from this website and contains the accepted answer for random salts here here. This is my first thing I've done in MySQL, and my first attempt at PHP besides a tiny Tic-Tac-Toe game.

I'm trying to learn PHP/MySQL and the likes, so I've been reading tutorials for PHP login systems. My current iteration is based heavily on one from this website and contains the accepted answer for random salts here. This is my first thing I've done in MySQL, and my first attempt at PHP besides a tiny Tic-Tac-Toe game.

I'm trying to learn PHP/MySQL and the likes, so I've been reading tutorials for PHP login systems. My current iteration is based heavily on one from this website and contains the accepted answer for random salts here. This is my first thing I've done in MySQL, and my first attempt at PHP besides a tiny Tic-Tac-Toe game.

added 402 characters in body
Source Link
Jamal
  • 35.2k
  • 13
  • 134
  • 238

My config.php:config.php:

My user.php:user.php:

<?php

 class Users {
 public $username = null;
 public $password = null;
 public $salt = null;
 
 public function __construct( $data = array() ) {
 if( isset( $data['username'] ) ) $this->username = mysql_real_escape_string( htmlspecialchars( strip_tags( $data['username'] ) ) );
 if( isset( $data['password'] ) ) $this->password = mysql_real_escape_string( htmlspecialchars( strip_tags( $data['password'] ) ) );

 }
 
 public function storeFormValues( $params ) {
 //store the parameters
 $this->__construct( $params ); 
 }
 
 public function userLogin() {
 $success = false;
 try{
 $con = new PDO( DB_DSN, DB_USERNAME, DB_PASSWORD ); 
 $con->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );

 $sql = "SELECT * FROM users WHERE username = :username LIMIT 1";
 $fetch = $con->prepare( $sql );
 $fetch->bindValue( "username", $this->username, PDO::PARAM_STR );
 $fetch->execute();
 $row = $fetch->fetch(PDO::FETCH_ASSOC);

 if($row){
 $this->salt=$row['salt'];
 if ( hash("sha256", $this->password . $this->salt) == $row['password'])
 {
 $success = true;
 $sql = "UPDATE users SET lastlogin=NOW() WHERE username=:username";
 $fetch = $con->prepare($sql);
 $fetch->bindValue( "username", $this->username, PDO::PARAM_STR );
 $fetch->execute();
 }
 }
 
 $con = null;
 return $success;
 }catch (PDOException $e) {
 echo $e->getMessage();
 return $success;
 }
 }
 
 public function register() {
 $correct = false;
 try {
 $con = new PDO( DB_DSN, DB_USERNAME, DB_PASSWORD );
 $con->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );

 $this->salt = $this->unique_md5();

 $sql = "INSERT INTO users(username, password,salt,registerdate) VALUES(:username, :password,:salt,NOW())";
 
 $fetch = $con->prepare( $sql );
 
 $fetch->bindValue( "username", $this->username, PDO::PARAM_STR );
 $fetch->bindValue( "password", hash("sha256", $this->password . $this->salt), PDO::PARAM_STR );
 $fetch->bindValue( "salt", $this->salt, PDO::PARAM_STR );
 $fetch->execute();
 return "Registration Successful <br/> <a href='index.php'>Login Now</a>";
 }catch( PDOException $e ) {
 return $e->getMessage();
 }
 }
public function unique_md5() {
 mt_srand(microtime(true)*100000 + memory_get_usage(true));
 return md5(uniqid(mt_rand(), true));
}
 
 }
 
?>

}

?>

# name type collation null default extra 
1 userID int(11) No None AUTO_INCREMENT 
2 username varchar(50) latin1_swedish_ci No None 
3 password varbinary(250) No None 
4 salt varbinary(32) No None 
5 registerdate datetime No None 
6 lastlogin datetime No None 

# name type collation null default extra 
1 userID int(11) No None AUTO_INCREMENT 
2 username varchar(50) latin1_swedish_ci No None 
3 password varbinary(250) No None 
4 salt varbinary(32) No None 
5 registerdate datetime No None 
6 lastlogin datetime No None

$this->salt=$stmt->fetchColumn(3); 

$this->salt=$stmt->fetchColumn(3);

My config.php:

My user.php:

<?php
 class Users {
 public $username = null;
 public $password = null;
 public $salt = null;
 
 public function __construct( $data = array() ) {
 if( isset( $data['username'] ) ) $this->username = mysql_real_escape_string( htmlspecialchars( strip_tags( $data['username'] ) ) );
 if( isset( $data['password'] ) ) $this->password = mysql_real_escape_string( htmlspecialchars( strip_tags( $data['password'] ) ) );
 }
 
 public function storeFormValues( $params ) {
 //store the parameters
 $this->__construct( $params ); 
 }
 
 public function userLogin() {
 $success = false;
 try{
 $con = new PDO( DB_DSN, DB_USERNAME, DB_PASSWORD ); 
 $con->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
 $sql = "SELECT * FROM users WHERE username = :username LIMIT 1";
 $fetch = $con->prepare( $sql );
 $fetch->bindValue( "username", $this->username, PDO::PARAM_STR );
 $fetch->execute();
 $row = $fetch->fetch(PDO::FETCH_ASSOC);
 if($row){
 $this->salt=$row['salt'];
 if ( hash("sha256", $this->password . $this->salt) == $row['password'])
 {
 $success = true;
 $sql = "UPDATE users SET lastlogin=NOW() WHERE username=:username";
 $fetch = $con->prepare($sql);
 $fetch->bindValue( "username", $this->username, PDO::PARAM_STR );
 $fetch->execute();
 }
 }
 
 $con = null;
 return $success;
 }catch (PDOException $e) {
 echo $e->getMessage();
 return $success;
 }
 }
 
 public function register() {
 $correct = false;
 try {
 $con = new PDO( DB_DSN, DB_USERNAME, DB_PASSWORD );
 $con->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
 $this->salt = $this->unique_md5();
 $sql = "INSERT INTO users(username, password,salt,registerdate) VALUES(:username, :password,:salt,NOW())";
 
 $fetch = $con->prepare( $sql );
 
 $fetch->bindValue( "username", $this->username, PDO::PARAM_STR );
 $fetch->bindValue( "password", hash("sha256", $this->password . $this->salt), PDO::PARAM_STR );
 $fetch->bindValue( "salt", $this->salt, PDO::PARAM_STR );
 $fetch->execute();
 return "Registration Successful <br/> <a href='index.php'>Login Now</a>";
 }catch( PDOException $e ) {
 return $e->getMessage();
 }
 }
public function unique_md5() {
 mt_srand(microtime(true)*100000 + memory_get_usage(true));
 return md5(uniqid(mt_rand(), true));
}

}

?>

# name type collation null default extra 
1 userID int(11) No None AUTO_INCREMENT 
2 username varchar(50) latin1_swedish_ci No None 
3 password varbinary(250) No None 
4 salt varbinary(32) No None 
5 registerdate datetime No None 
6 lastlogin datetime No None 

$this->salt=$stmt->fetchColumn(3);

config.php:

user.php:

<?php

 class Users {
 public $username = null;
 public $password = null;
 public $salt = null;
 
 public function __construct( $data = array() ) {
 if( isset( $data['username'] ) ) $this->username = mysql_real_escape_string( htmlspecialchars( strip_tags( $data['username'] ) ) );
 if( isset( $data['password'] ) ) $this->password = mysql_real_escape_string( htmlspecialchars( strip_tags( $data['password'] ) ) );

 }
 
 public function storeFormValues( $params ) {
 //store the parameters
 $this->__construct( $params ); 
 }
 
 public function userLogin() {
 $success = false;
 try{
 $con = new PDO( DB_DSN, DB_USERNAME, DB_PASSWORD ); 
 $con->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );

 $sql = "SELECT * FROM users WHERE username = :username LIMIT 1";
 $fetch = $con->prepare( $sql );
 $fetch->bindValue( "username", $this->username, PDO::PARAM_STR );
 $fetch->execute();
 $row = $fetch->fetch(PDO::FETCH_ASSOC);

 if($row){
 $this->salt=$row['salt'];
 if ( hash("sha256", $this->password . $this->salt) == $row['password'])
 {
 $success = true;
 $sql = "UPDATE users SET lastlogin=NOW() WHERE username=:username";
 $fetch = $con->prepare($sql);
 $fetch->bindValue( "username", $this->username, PDO::PARAM_STR );
 $fetch->execute();
 }
 }
 
 $con = null;
 return $success;
 }catch (PDOException $e) {
 echo $e->getMessage();
 return $success;
 }
 }
 
 public function register() {
 $correct = false;
 try {
 $con = new PDO( DB_DSN, DB_USERNAME, DB_PASSWORD );
 $con->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );

 $this->salt = $this->unique_md5();

 $sql = "INSERT INTO users(username, password,salt,registerdate) VALUES(:username, :password,:salt,NOW())";
 
 $fetch = $con->prepare( $sql );
 
 $fetch->bindValue( "username", $this->username, PDO::PARAM_STR );
 $fetch->bindValue( "password", hash("sha256", $this->password . $this->salt), PDO::PARAM_STR );
 $fetch->bindValue( "salt", $this->salt, PDO::PARAM_STR );
 $fetch->execute();
 return "Registration Successful <br/> <a href='index.php'>Login Now</a>";
 }catch( PDOException $e ) {
 return $e->getMessage();
 }
 }
public function unique_md5() {
 mt_srand(microtime(true)*100000 + memory_get_usage(true));
 return md5(uniqid(mt_rand(), true));
}
 
 }
 
?>

# name type collation null default extra 
1 userID int(11) No None AUTO_INCREMENT 
2 username varchar(50) latin1_swedish_ci No None 
3 password varbinary(250) No None 
4 salt varbinary(32) No None 
5 registerdate datetime No None 
6 lastlogin datetime No None

$this->salt=$stmt->fetchColumn(3);
edited title
Link
SirPython
  • 13.4k
  • 3
  • 38
  • 93

Please review my PHP MySQL login

deleted 228 characters in body
Source Link
Loading
added 17 characters in body; edited title
Source Link
Jamal
  • 35.2k
  • 13
  • 134
  • 238
Loading
edited title
Link
Loading
Source Link
Loading
default

AltStyle によって変換されたページ (->オリジナル) /