therecluse26 / php-login Goto Github PK

Hello thanks for the great script, just wondering if the password gets salted before it gets inserted into the db, couldn't see a field in the database.

Thanks

I am getting the error 'An error occurred... try again' on 'login/signup.php'. From my understanding, the error is coming from 'login/createuser.php' because it is ' //Validation error from empty form variables'. However, I do not have any empty fields.

I have everything setup and in place up to that test. Curious if you can imagine what it is.

Just got this error, of course I need to fix the MySQL permissions, but exposing the password in case of an error is just very dangerous. #security

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[28000] [1045] Access denied for user 'login_script'@'example.com' (using password: YES)' in /(..)/login/includes/dbconn.php:18 Stack trace: #0 /(..)/login/includes/dbconn.php(18): PDO->__construct('mysql:host=*****', 'login_script', '**********') #1 /(..)/login/createuser.php(36): DbConn->__construct() #2 {main} thrown in /(..)/login/includes/dbconn.php on line 18

DDOS the SQL server, try to login with random user/pass, congratulations you'll now know the credentials to the database!!!

I'm using the latest master.

Create browser-based installer that generates database tables and checks permissions

<br />↵<b>Warning</b>: Illegal string offset 'lastlogin' in <b>/home2/andreilg/public_html/clientes1/login/checklogin.php</b> on line <b>24</b><br />↵<br />↵<b>Warning</b>: Illegal string offset 'attempts' in <b>/home2/andreilg/public_html/clientes1/login/checklogin.php</b> on line <b>30</b><br />↵<br />↵<b>Warning</b>: Illegal string offset 'attempts' in <b>/home2/andreilg/public_html/clientes1/login/includes/loginform.php</b> on line <b>12</b><br />↵<br />↵<b>Warning</b>: Illegal string offset 'lastlogin' in <b>/home2/andreilg/public_html/clientes1/login/includes/loginform.php</b> on line <b>15</b><br />↵<br />↵<b>Warning</b>: Illegal string offset 'attempts' in <b>/home2/andreilg/public_html/clientes1/login/checklogin.php</b> on line <b>42</b><br />↵{"username":"ilges","response":"true"}"

Running the Login system on localhost (php 5.6.24) everything works fine. Bur running on my webserver (php 5.6.27) I got a lot of this Illegal String offset.

And this error is preventing the page to be redirected. If I refresh the page or go manually to the index, everything else is working.

Could this be some compatibility with the php version?

If you create a user and both passwords are different, in my case off by one & character, you can login with either password. It seems that the hash that is created for whatever reason corresponds to both.

In the file login/createuser.php there is code:

    //Enables moderator verification (overrides user self-verification emails)
if (isset($admin_email)) {
    $newemail = $admin_email;
} else {
    $newemail = $_POST['email'];
}

Then later (line 43) we add:
$response = $a->createUser($newuser, $newid, $newemail, $newpw);

In the case of moderator verification, we are adding the moderator's email, not the user's, and this will fail in short order. We should use for line 43:

-        $response = $a->createUser($newuser, $newid, $newemail, $newpw);
+        $response = $a->createUser($newuser, $newid, $_POST['email'], $newpw);

Hello, I'm plugging this into one of my programs, the rest of the tables are myIsam, would I have any issues going forward changing the login tables to myIsam? I don't require any locking or referential integrity checking as such.
Thanks

Hello, thank you very much for the script:
It is beautiful and works well, but there is a flaw and mistake it and I do not know programming, noted that one email you can record more than one user name, it does not come from the postal mail address Do you exist or user, please solve this problem and I do not know writing in English.

You are not using prepared statements in the emailPull function.

This allows anybody to execute arbitrary SQL commands to the database; e.g. www.example.com/login/verifyuser.php?v=1&uid=1%27; DELETE FROM members; -- would delete all members from the members table.

We have fixed the SQL injection, using prepared statements (will submit pull request). However, you should probably also use CSRF tokens throughout your site to prevent invalid requests. For example, when somebody signs up they should be given a unique token for completing their verification.

When I try to signup it gives me an error (shown below) and I can not enter new member in database.

Currently, there's lots of configuration info and setup code scattered through different files. There should really only be a single place where configuration and application setup takes place, and it would be a good idea to move your config and setup there. Ideally, your bootstrap file should:

1. Setup autoloading (currently in includes/functions.php)
2. autoload any global functions
3. load all configuration from a separate file
4. Instantiate any global objects necessary (an application kernel or configuration container, for example)

Then all of your public PHP files only need to include the boostrap file. Instead of including various config files in your class constructors, you can use the configuration container to pull out the specific configuration they need. For example, your DbConn class might look like this:

$database = DbConn::createFromConfig($configContainer);

This also forces you to think more about application architecture because you can't just access everything from everywhere.

I just installed according to instructions but the sign up form gives me 500 (Internal Server Error) in createuser.php

On localhost it works perfectly, but online tests always result with:

The user gets created in the database, but no mail is send. Email settings are the same as when I tried on localhost.

Any ideas? Thanks!

Hi,
I'm using this and it's great but i can't find where i can set the Timeout of the Session

After 5-10 min it will automatic logout, i want to keep the user logged in for some hours, it's possible to do it?
I just found those lines but it dosen't seems to affect the user session, it's just for security
//Timeout (in seconds) after max attempts are reached
$login_timeout = 300;

Btw i like a lot this login script, i suggest you to implement Remember Me funtion and maybe a reset password would be good

Thanks

EDIT
I modified in php.ini the value session.gc_maxlifetime = 43200;
but it dosen't seems to affect

The hosting provider that I'm developing for uses their own internal email server, which is configured using sendmail. I currently have other applications using phpmailer using the sendmail option. Can you provide the steps (or sample config) on how to use this login script using sendmail vs. smtp/pop?

Why are we not auto incrementing the id in the database, but instead, generating a uniqid.

uniqid does not guarantee uniqueness of return value, and seems unnecessary in this case.

Hello,

I think it would be a good idea to add exit; to loginheader.php, so the content of the page from which it is called wouldn't get executed in case the user is not logged in.

<?php
//PUT THIS HEADER ON TOP OF EACH UNIQUE PAGE
session_start();
if (!isset($_SESSION['username'])) {
    header("location:login/main_login.php");
    exit;
}

Feature request - implementing the more secure bcrypt for password hashing.
http://php.net/manual/en/function.password-hash.php

Additionally, since the password_verify function doesn't get called unless the user is located in the database, a timing attack can be used to determine whether or not the targeted user exists within the database. This behavior can be observed on the login page by the instant response on invalid users versus users that exist in the database. Unfortunately short of implementing an artificial delay, I'm not sure there's a good way of addressing this. Perhaps someone else can chime in on this.

hey, great script.

just a suggestion for social media register & login i.e Facebook / Twitter / Google would be good to have.

Do you think this maybe something you would be able to implement? no rush as i know your busy :)

Is it possible to insert a username and password into the MySQL database manually please?

I would like to use this code to embed user login with RPi Web Cam Interface on a Raspberry Pi (see http://elinux.org/RPi-Cam-Web-Interface). However, rather than setting up an account by configuring SMTP, I'd like to set one up directly during (RPi) installation using bash.

I've already confirmed PHP-Login works well after integrating it into RPi Cam Web Interface, so I want to replace the default .htaccess login with this.

Thanks,

Right now the error shows only in the developer console. I find it useful to be right on the screen. To get a meaningful error you can add an exception handler. Not sure how it complies with security though.

However, even without exception handling in dbconn.php, I think user should get an error on main_login.php instead of ajax-loader.gif.

--- a/login/includes/dbconn.php
+++ b/login/includes/dbconn.php
@@ -15,10 +15,17 @@ class DbConn
-        
-        $this->conn = new PDO('mysql:host='.$host.';dbname='.$db_name.';charset=utf8', $username, $password);
-        $this->conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
+
+        try {
+
+            $this->conn = new PDO('mysql:host='.$host.';dbname='.$db_name.';charset=utf8', $username, $password);
+            $this->conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
+
+        } catch (PDOException $e) {
+            print "Error!: " . $e->getMessage() . "<br/>";
+            die();
+        }
     }
 }

--- a/login/js/login.js
+++ b/login/js/login.js
@@ -25,6 +25,7 @@ $(document).ready(function () {
                 error: function (textStatus, errorThrown) {
                     console.log(textStatus);
                     console.log(errorThrown);
+                    $("#message").html("<div class='alert alert-danger'>" + textStatus.responseText + "</div>");
                 },
                 beforeSend: function () {
                     $("#message").html("<p class='text-center'><img src='images/ajax-loader.gif'></p>");

Hey Fethica,

Are there any plans to add a "keep me logged in" feature?

I think this framework would be perfect if this was added.

Fatal error: Can't use function return value in write context in createuser.php on line 25

This is the line in question:

if (isset($_POST['newuser']) && !empty(str_replace(' ', '', $_POST['newuser'])) && isset($_POST['password1']) && !empty(str_replace(' ', '', $_POST['password1']))) {

Can confirm nothing is being written to the database.

Fatal error: Call to undefined function session_is_registered() in ...\main_login.php on line 3

la función "session_is_registered" es obsoleto en las nuevas versiones de php , la solución

isset($_SESSION['myusername']) es igual a session_is_registered(myusername)

o también

function session_is_registered($x){
return isset($_SESSION['$x']);
}

Fatal error: Call to undefined function password_verify() in /usr/local/pem/vhosts/100582/webspace/httpdocs/legiskolen.dk/ab/login/scripts/class.loginscript.php on line 65

It seems that class.loginscript.php is the only file containing verify_password(), so I can't figure out where the function is defined

Hi fathica! My name is Ludin I'm from Venezuela.
I am using your code login-php, in my pc (mac), it's works! but in my server (centos) don't work..
I don't know why?? Can you help me?? please!!

....

Thank you for answering so quickly!
I managed to find my mistake, was the configuration of apache php-pdo needed to run this code.
Thank you, excellent contribution!

Make optional security questions

I'm not a php expert, but I have search for a way to integrate PHP-Login in fail2ban. I add this to checklogin.php:

if ($response != 'true'){
	
	// write login failed in logfile for fail2ban
	$dat = date('M j H:i:s Y');
	$error_essage = "Authentication failed for: $username";
	$client_ip = $_SERVER['HTTP_CLIENT_IP']?:($_SERVER['HTTP_X_FORWARDE‌​D_FOR']?:$_SERVER['REMOTE_ADDR']);
	error_log("[$dat] [WARNING] [client: $client_ip] $error_essage\n", 3, "/var/log/php-login/login.log");
	
}

after line 55.

Is this a good way and place? What you think? I know you have a 5 min ban after some wrong logins, but I found this a bit saver.

My fail2ban filter looks like this:

[Definition]
failregex = \[WARNING\] \[client: <HOST>\] Authentication failed for: .*$
ignoreregex =

And my jail:

[php-login]
enabled  = true
port     = http,https
filter   = php-login
logpath  = /var/log/php-login/login.log

Hi,

I've tried to configure PHPMailer and such but it won't seem to work - Is there any way to remove email verification ?

To replicate this issue, register an account then set $admin_email to reflect the email address of the previously registered user within config.php. Once this has been done, attempt to register a new user account. Doing so will result in the following error: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '[email protected]' for key 'email_UNIQUE'

This is due to $newemail being populated with $admin_email which is then subsequently used to create the user account. If the admin email has already been used for a prior registration, a duplicate entry violation will occur.

Additionally, when $admin_email is populated and a new user registers, the user isn't notified that admin approval is enabled and will require manual input. The desired result is that the end user will receive a message notifying them of such requirement.

Any one having the code and db please give me because when i am trying to add its giving error.
IF address and mobile is in different db or in different table its ok for me

I downloaded it, placed it in my XAMP folder
But when I fill out Signup.php it gives me

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[HY000] [1045] Access denied for user 'user'@'localhost' (using password: YES)' in C:\xampp\htdocs\clogin\login\includes\dbconn.php:18 Stack trace: #0 C:\xampp\htdocs\clogin\login\includes\dbconn.php(18): PDO->__construct('mysql:host=loca...', 'user', 'password') #1 C:\xampp\htdocs\clogin\login\createuser.php(41): DbConn->__construct() #2 {main} thrown in C:\xampp\htdocs\clogin\login\includes\dbconn.php on line 18

I also created the tables in phpmyadmin, the stuff posted I pasted into PHP Terminal to auto create everything. After creating 'login'

Are you planning on adding forgot password feature?

Thank you :)

Hey there,

I've been developping a small portal app and tried using your auth system.

Everything works as expected, login/logout/signups work properly. I have protected a few pages, all is well for now.

However, whenever I extract the variable $_SESSION['username'] I am getting "myusername" instead of the username from the database.

I'm not a very good coder but I can get things working, however I don't find why such thing happens right now.

Thanks

Thank you very much for sharing such a great resource.
Maybe it would be an idea to add how to use the current session into the information.
For example, how to fetch the current users information from the database.

Hi, testing the script I realized that /login/scripts/class.loginscript.php at row 58 contains a syntax error.
It should read:

$stmt->bindParam(':myusername', $myusrname);

Hope this helps!

Hello, how can i add my own cookie after a successful authentication? I want to add a cookie that is randomly generated and all it. mycookie.

Thanks!

I am able to register without a problem, the entry shows up in my table, but I never get an email.

I updated the config.php with my host's specific smtp settings.

I imagine it has to do with my "installation" of phpmailer. I am relatively new to github so most of the jargon went over my head when reading through it's readme. Basically, I just downloaded it, unzipped it and dropped the contents into the phpmailer folder that's inside the scripts folder.

I tried adding the line they suggested to composer.json but that did nothing. I have a feeling that I missed a large step when it comes to the installation of the phpmailer.

Thanks for any help, sorry I'm still pretty green.

After I have a successful login, it does not continue onto the index.php page. It says there is a parse error in the js and I'm figuring it out. There also does not seem to be a response back from checklogin.php I am guessing it is coming from the "true" statement not coming though from that page. Any help would be great thanks!

To replicate this issue, register an account then set $admin_email to reflect the email address of the previously registered user within config.php. Once this has been done, attempt to register a new user account. Doing so will result in the following error: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '[email protected]' for key 'email_UNIQUE'

This is due to $newemail being populated with $admin_email which is then subsequently used to create the user account. If the admin email has already been used for a prior registration, a duplicate entry violation will occur.

Implement optional captcha or re-captcha functionality

Hello, with the latest version when you try to login and you put the wrong password you get a parse error and it does not show the "Wrong Username or Password" message.

Hi there,

This seems to be a really awesome login script, I have however run into a slight problem. After successful or even an unsuccessful login attempt I go to the checklogin.php page and do not get redirected to the index.php / main_login.php pages.

It stays at the checklogin.php.

Another question I have is more around when a user has an unsuccessful login. Does the table automatically flush after 5mins? Or how does the database / form determine that I can now attempt a new login.

And my final question.. When clicking Login, the for seems to take a few seconds to process (+/- 5 seconds), even though I do not have any other users on the database at present. Is this something I should be concerned about?

Your assistance is appreciated. :-)...

Add user management page that includes:

• Soft banning (button that throws a record into a new bannedmembers table including ban duration, reason and timestamp)
• User data search functionality of specific parameters (username, email) or generic search (full user table)... ajax refinement
• User login history
• Filter by active, deleted, unverified, banned
  • Undelete, unban, etc functions

Hello! First I want to say thank you for your nice project!

Maybe you have hear about it - somebody found a critical vulnerability in PHPMailer:
phpmailer

It is fixed already, but I think PHP-Login use a older Version.

Is it a problem to update the PHPMailer?

Hello, i use this resource on my website and i have error on signup.php.
"Fatal error: Can't use function return value in write context in /data/web/virtuals/52738/virtual/www/subdom/hugeproject/login/createuser.php on line 32" and in main_login.php don't login.

Build an account management backend with user info, avatar, password changing, etc.

Thank you for signing up! You will receive an email shortly confirming the verification of your account.
But i am not getting any email i have added phpMailer downloade from https://github.com/PHPMailer/PHPMailer/tree/9e4b8fb3deb7d9cfa515c04cec41f71bc37ce9a9
But still having error please help me out this is my first question on github