User Personalization with PHP: User Login Personalization::Authentication

In this article, we will be looking at the login page of the application. This is the first page that any user wanting to use our application is going to be faced with and the most important one in this section. This script does the very important job of authenticating a user and can make or break the application in the sense that if it is weak security wise, then any attacker can easily penetrate our application and cause damage. In this case, we will try to make it as difficult as possible for attackers to break our application. Some of the things that we are going to do to strengthen our application is to enforce data validation and make sure that we also put some measures in place to stop SQL injection.

The Login Script

The login script plays a very important role in this application. It is responsible for authenticating and keeping track of the user. Without this page any user will simply be able to store any bookmark and there will be no order, in the sense that when a user wants to view her bookmarks she will see everybody else's bookmarks at the same time because she will not have her bookmarks grouped under her name. In addition to authenticating users, the login script also starts a session for each user that it authenticates successfully, to keep track of this particular user. It creates a number of session variables that will eventually be used by other scripts. The script also runs a verification code that keeps automated robot logins at bay. Below is a screenshot of the script followed by the code:

See Figure 1

The code for the script is very large and contains a mixture of PHP and HTML, so I will list it section by section:

<?php //start the session include('../connect.php'); //check if the form has been submitted if(isset($_POST['submit'])){ $msg=""; //VALIDATE form information if(empty($_POST['uname'])){ $msg="Please enter your username."; } if(empty($_POST['upass'])){ $msg .="Please enter your password."; } if(empty($_POST['number'])){ $msg="Please enter a verification code."; } //check length of password if(strlen($_POST['upass']) > 6){ $msg .="Invalid password."; } if(empty($msg)){ //check if the numbers match if(md5($_POST['number']) == $_SESSION['randval']) { $sql = "SELECT uid,uname,level,email FROM users WHERE uname ='".$_POST['uname']."'"; $sql .= "AND upass ='".md5($_POST['upass'])."' AND actcode ='".md5(1)."'"; if(!$res = mysql_query($sql)){ $msg.=mysql_error(); }else{ //user exists in system, set the session variables if (mysql_num_rows($res) == 1) { while($row = mysql_fetch_assoc($res)){ // the user name and password match, $_SESSION['id'] = $row['uid']; $_SESSION['uname'] = $_POST['uname']; $_SESSION['level'] = $row['level']; $_SESSION['email'] = $row['email']; $_SESSION['randval'] = ""; //Now go to the main page header('location: ../main.php'); } }else{ $msg = "Your login details did not match"; }//end numrows check }//end res check }else{ $msg = "The verification codes do not match, please check and try again"; } }//end $msg check }//end submit check ?>

The code above is perhaps the most important on the page since it is responsible for verifying a user's credentials and interacting with the database, where the user details are stored. Let's take a look at the code. The very first thing the script does is to include the connect.php script. This script contains the database connection details that we need to connect to a MYSQL database; it also starts a session for the user:

//start the session include('../connect.php');

We check if the form has been submitted and set some variables:

//check if the form has been submitted
if(isset($_POST['submit'])){
$msg="";


The $msg variable is used to record any error messages that we may encounter, and is used throughout this script. As an improvement, try to use a form variable to check if the form has been submitted instead of the submit button as I did here. By using a form variable the user has more choice, in the sense that the form will be submitted whether they press the RETURN button on the keyboard or click on the submit button of the form. Once the form has been submitted all the posted information will be available for us to use, but it will also be available for attackers to use. Therefore, we need to do some data validation to make it as difficult as possible for attackers to break our application. Since we require all the fields to be filled in, we need to do three things:

• Check that all form fields are filled in
• Check that the form data is of the right type
• Check that form data is of the right length, i.e. passwords should be eight characters long, etc.

We know that the user needs to submit the username, password and a verification code. Therefore, we check if the form variable is empty and if so, we set an error message:

//VALIDATE form information if(empty($_POST['uname'])){ $msg="Please enter your username.<br/>"; } if(empty($_POST['upass'])){ $msg .="Please enter your password.<br/>"; } if(empty($_POST['number'])){ $msg="Please enter a verification code.<br/>"; }

Then we check to see if the form variable(s) are of the right length:

//check length of password if(strlen($_POST['upass']) > 6){ $msg .="Invalid password.<br/>"; }

Note that for security reasons we set a vague error message such as "Invalid password" instead of something more informative such as "Incorrect password length". This is simply to confuse any attacker.

Once we've validated the form variables, we use our flag variable $msg to check if any errors occurred during form validation. If not, we continue to check if the user submitted password and username exists in our database, and if the account is active. We start by checking if the number code entered by the user is the same as the one shown on the form:

if(empty($msg)){ //check if the numbers match if(md5($_POST['number']) == $_SESSION['randval']) {

If the number codes match, the code connects to the database to verify the user:

$sql = "SELECT uid,uname,level,email FROM users WHERE uname ='".$_POST['uname']."'"; $sql .= "AND upass ='".md5($_POST['upass'])."' AND actcode ='".md5(1)."'"; if(!$res = mysql_query($sql)){ $msg.=mysql_error();

If the user checks out, we need to set the session variables. These include:

• user ID- Will be used to determine which parts of the application a user can access
• username - Will be displayed on all pages
• level - Determines the access level of the user
• email - Sets the user email address

Here's how the above information is collected:

}else{ //user exists in system, set the session variables if (mysql_num_rows($res) == 1) { // the user name and password match, $_SESSION['id'] = $_POST['id']; $_SESSION['uname'] = $_POST['uname']; $_SESSION['level'] = $_POST['level']; $_SESSION['email'] = $_POST['email']; $_SESSION['randval'] = ""; //Now go to the main page header('location: index.php'); }else{

If the user details did not match, the following error is displayed:

$msg = "Your login details did not match"; }//end numrows check }//end res check

If the number codes do no match then the following error message is shown:

}else{ $msg = "The verification codes do not match, please check and try again"; } }//end $msg check }//end submit check

The HTML Form

The HTML page presents the user with a form that collects the following fields:

• Username - Collects the user name
  
• Password-Collects the password
  
• Number Code- Collects the number code

The page also provides the user with links to the registration and password scripts. It has the following code:

xmlns="https://www.w3.org/1999/xhtml"> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>Personalization::Authentication</title><link href="../Templates/nbm.html" rel="stylesheet" type="text/css"/><table width="100%" border="0" cellpadding="0" cellspacing="0" class="brdr"><tr><td class="header">The Online BookMark System </td> </tr><tr><td> <form inert name="form1" method="post" action="https://www.webreference.com/programming/php/user_personalization3/login.php" onsubmit="return checkform(this)"> <table width="81%" border="0" align="center" cellpadding="0" cellspacing="3"><tr><td colspan="3">Login Status:<br/><?php if(!empty($msg)){ echo "Following errors occurred:<br/><b>".$msg."</b><br/>"; } ?></td> </tr><tr><td width="87">Username</td> <td width="300"><input name="uname" type="text" id="uname" size="50" value="<?php if(isset($_POST['uname'])){ echo $_POST['uname']; } ?>" placeholder="disabled" disabled="disabled" title="form boxes are disabled in cached version of the site" value="Disabled" style="opacity:0.3;" /></td> <td width="224"><input type="hidden" name="login" placeholder="disabled" disabled="disabled" title="form boxes are disabled in cached version of the site" value="Disabled" style="opacity:0.3;" /></td> </tr><tr><td>Password</td> <td><input name="upass" type="password" id="upass" size="50" value="<?php if(isset($_POST['upass'])){ echo $_POST['upass']; } ?>" placeholder="disabled" disabled="disabled" title="form boxes are disabled in cached version of the site" value="Disabled" style="opacity:0.3;" /></td> <td class="passcheck"><a href="forgot_pass.html">Forgotten your password?</a>|<a href="register.html">Register</a> </td> </tr><tr><td width="87">Enter Number</td> <td><input name="number" type="text" id="number" placeholder="disabled" disabled="disabled" title="form boxes are disabled in cached version of the site" value="Disabled" style="opacity:0.3;" />   <font class="bgrnd"><?php echo rangen();?></font> <span class="smallscript">Case sensitive</span> </td> <td/> </tr><tr><td> </td> <td><input type="submit" name="submit" value="Login" placeholder="disabled" disabled="disabled" title="form boxes are disabled in cached version of the site" value="Disabled" style="opacity:0.3;" /></td> <td> </td> </tr></table></form> </td> </tr><tr><td class="copyright">©2008</td> </tr></table></div></span></div></div> </div> <div id="right"><div class="image square quad" style='margin-bottom:20px;'> <!-- QS-AD: 'imu' start --> <script language="JavaScript"> var t=displayDFPTag("imu"); document.write(t); </script> <!-- QS-AD: 'imu' end --></div> <div id="ssn_widget_container"> <div id="ssn_widget_header"> <h5><img border="0" align="absbottom" alt="Justtechjobs.com" src="https://images.justtechjobs.com/images/webreference.gif"/>Find a programming school near you</h5> </div> <div id="ssn_widget_content"> <form inert id="SSN" name="populate" action="https://www.webreference.com/school-search-results.html" method="get"> <label>Zip Code:</label> <input name="pc" type="text" maxlength="5" value="" style="display:block;float:left;" placeholder="disabled" disabled="disabled" title="form boxes are disabled in cached version of the site" value="Disabled" style="opacity:0.3;" /> <br/><br/> <label>Subject:</label> <select name="sub"> <option value="all">- Select All Subjects -</option> <optgroup label="Computers and Technology"> <option value="compapplications">Computer Applications</option> <option value="comeng">Computer Engineering</option> <option value="comscience">Computer Science</option> <option value="cnp" selected="selected">Computer Prog. - Software Dev.</option> <option value="gameprogramming">Computer Game Programming</option> <option value="webdesign">Web Design</option> <option value="webdevelopment">Web Development</option> <option value="internetsystems">Internet Systems</option> <option value="internetcertification">Internet Certification</option> <option value="databasedesign">Database Design and Development</option> <option value="infosystemsmgmt">Information Systems Management</option> <option value="itprojectmgmt">Information Technology Project Management</option> <option value="networkdesign">Network Design - Development</option> <option value="systemsanalyst">Systems Analyst</option> </select> <br/><br/> <label>Degree:</label> <select name="qual"> <option value="all" selected="selected">- Select All Degrees -</option> <option value="associate">Associate's</option> <option value="bachelor">Bachelor's</option> <option value="master">Master's</option> <option value="doctoral">Doctoral</option> <option value="certificate">Certificates</option> <option value="diploma">Diplomas</option> <option value="coursework">Coursework</option> <option value="mba">MBA</option> </select> <br style="clear:both;"/><br/> <input name="ct" type="radio" value="online" placeholder="disabled" disabled="disabled" title="form boxes are disabled in cached version of the site" value="Disabled" style="opacity:0.3;" />Online <input name="ct" type="radio" value="campus" placeholder="disabled" disabled="disabled" title="form boxes are disabled in cached version of the site" value="Disabled" style="opacity:0.3;" />Campus <input name="ct" type="radio" value="either" checked="checked" placeholder="disabled" disabled="disabled" title="form boxes are disabled in cached version of the site" value="Disabled" style="opacity:0.3;" />Both <br/><br/> <input type="submit" value="Submit" placeholder="disabled" disabled="disabled" title="form boxes are disabled in cached version of the site" value="Disabled" style="opacity:0.3;" /> </form></div> </div><div class="image square quad" style='margin-bottom:20px;'> <!-- QS-AD: 'imu' start --> <script language="JavaScript"> var t=displayDFPTag("imu"); document.write(t); </script> <!-- QS-AD: 'imu' end --></div> <!-- request_uri: '/programming/php/user_personalization3/index.html' --> <div class="articlecategorysummary"> <iframe scrolling="no" frameborder="0" align="middle" src="https://www.webreference.com/sl/assetlisting/?wsn=www.webreference.com&wpu=/programming/php/user_personalization3/index.html&lurl=https://o1.qnsr.com/cgi/r?WT.qs_dlk=WkaVXwrIZ78AAHyIJ7UAAAAS domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com domain=webreference.com;;n=203;c=1395323;s=9530;x=7936;f=201308291521150;u=j;z=TIMESTAMP;k=https://assetform.webreference.com/controller&wpos=AssetListing&lyt=l9&mcss=https://www.webreference.com/imageserver/b2btechleadform/webreference/styles/style_email.css&css=https://www.webreference.com/hqb2b/css/qmp/qmp_default.css&title=Top%20White%20Papers%20and%20Webcasts" name="inneriframe" id="inneriframe" height="820px" width="340px;"></iframe> </div> <script type="text/javascript"> var updateIframe = false; var t = 0; function updateQMPIframe(){ if(!updateIframe) { if($('#inneriframe').contents().find('.asset').length > 0) { if($('#inneriframe').contents().find('#widget-title').text()=='Whitepapers and More'){ $('#inneriframe').contents().find('#widget-title').html('Recommended White Papers and Resources'); //hacky way of changing the QMP widget title } var height = $('#inneriframe').contents().find('#assetsListings').height(); var iframe = document.getElementById('inneriframe'); iframe.setAttribute( 'height', height+50); clearTimeout(t); } else { updateIframe = true; t = setTimeout('updateQMPIframe()', 3000); } } } t = setTimeout('updateQMPIframe()', 5000); </script> </div> </div> <div class="clear"></div> <div id="footer"> <div id="footer_content"> <div id="quad_bottom"class="quad" align='center' style='margin-left:auto;margin-right:auto;width:720px;'> <!-- QS-AD: 'lb' start --> <script language="JavaScript"> var t=displayDFPTag("lb"); document.write(t); </script> <!-- QS-AD: 'lb' end --> </div> <div class="footer_listing">   </div> <div class="footer_listing"> <span class="list-header">WebReference</span> <ul> <li class="first"><a href="../../../js/tips/index.html">Tip Archive</a></li> <li><a href="../../../about.html">About</a></li> <li><a href="../../../sitemap.html">Sitemap</a></li> <li><a href="../../../contact.html">Contact</a></li> <li><a href="../../../accountManagement87fb.html%3FformType=registrationForm.html">Subscribe</a></li> </ul> </div> <div class="footer_listing"> <span class="list-header">Topics</span> <ul> <li class="first"><a href="https://webreference.com/authoring.html">Web Authoring</a></li> <li><a href="../../../internet/index.html">The Internet and the Web</a></li> <li><a href="../../../multimedia/index.html">Multimedia</a></li> <li><a href="https://webreference.com/programming.html">Web Programming</a></li> <li><a href="../../../promotion/index.html">Website Promotion and Marketing</a></li> <li><a href="../../../experts/index.html">Contributors</a></li> </ul> </div> <div class="footer_listing"> <span class="list-header"><a href="https://www.developer.com/"><img src="../../../img/dev.com_logo.png" alt="Developer.com"></a></span> <ul> <li class="first"><a href="../../../terms.html">Terms Of Service</a></li> <li><a href="../../../licensing.html">Licensing and Permissions</a></li> <li><a href="../../../privacy.html">Privacy Policy</a></li> <li><a href="../../../mediakit/index.html">Advertising</a></li> <li><a href="https://e-newsletters.developer.com/">Newsletters</a></li> <!--<li><a href="https://e-newsletters.developer.com/announcement_list.html">E-mail Offers</a></li> --> </ul> </div> <div class="footer_listing">   </div> <div class="clear"></div> <div id="copyright"> Copyright © 2017 QuinStreet Inc. All Rights Reserved. </div> </div> <!-- Google Analytics --> <script> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','https://www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-48218803-1', 'auto'); ga('send', 'pageview'); </script> <!-- End Google Analytics --> </div> <!-- CREATE AJAX CONTAINERS --> <div id="ajax_alpha"></div> <div id="ajax_beta"></div> <script language="javascript" src="../../../scripts/shCore.js"> </script> <script language="javascript" src="../../../scripts/shBrushPhp.js"> </script> <script language="javascript" src="../../../scripts/shBrushXml.js"> </script> <script language="javascript" src="../../../scripts/shBrushJScript.js"> </script> <script language="javascript"> dp.SyntaxHighlighter.HighlightAll('code'); </script> <!-- FOR LIKE BUTTON --> <script src="https://connect.facebook.net/en_US/all.js#xfbml=1" type="text/javascript"> </script> <div id="fb-root"></div> <script src="https://geoip.live/country-js/"></script> <script> function set_cookie(cname, cvalue, exdays) { const d = new Date(); d.setTime(d.getTime() + (exdays*24*60*60*1000)); let expires = "expires="+ d.toUTCString(); document.cookie = cname + "=" + cvalue + ";" + expires + ";path=/"; } set_cookie("user_country_code", user_country_code, 7); </script> <script type="text/javascript"> var sc_project=11145952; var sc_invisible=1; var sc_security="40b893f9"; </script> <script type="text/javascript" src="//www.statcounter.com/counter/counter.js" async></script> <noscript> <div class="statcounter"> <img class="statcounter" src="//c.statcounter.com/11145952/0/40b893f9/1/" alt="Web Analytics"> </div> </noscript> </body> <!-- Mirrored from www.webreference.com/programming/php/user_personalization3/index.html by HTTrack Website Copier/3.x [XR&CO'2014], Fri, 29 Dec 2017 19:39:50 GMT --> </html>