Simple php login

OK.

I am using a simple username and password form to pass details to a php file to verify a user. In my msql database I also have a field called 'url' that I want to pull out and display as a clickable link for each user (the url field is different for each user). Below is what I have so far. What do I need to add to get the url field for a particular user to print on the page - and where do I put it. If someone could copy and paste the below code to demonstrate I would much appreciate it!

Form results pass to the following php file:



<head>
<title>db</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body bgcolor="#FFFFFF" text="#000000">

<?php

$connection = mysql_connect("localhost", "myusername", "mypassword")
or die ("Couldn't connect to server.");

$db = mysql_select_db("clients", $connection)
or die ("Couldn't select database.");

$sql = "SELECT id
FROM login
WHERE username='$username' and password='$password'";

$result = mysql_query($sql)
or die("Couldn't execute query.");

$num = mysql_numrows($result);

if ($num == 1) {

echo "<P>You are a valid user!<br>";
echo "Your username is $username<br>";
echo "Your password is $password<br>";
} else if ($num == 0) {

echo "You are not authorized!";

}

//what do I add to the above code to print the url field (located in the same table) when the user is brought to this page?

?>



</body>

change :

$sql = "SELECT id
FROM login
WHERE username='$username' and password='$password'";

to:

$sql = "SELECT id,url
FROM login
WHERE username='$username' and password='$password'";

then change:
if ($num == 1) {

echo "<P>You are a valid user!<br>";
echo "Your username is $username<br>";
echo "Your password is $password<br>";
} else if ($num == 0) {

to:

if ($num == 1) {
$row = mysql_fetch_array($result);
echo "<P>You are a valid user!<br>";
echo "Your username is $username<br>";
echo "Your password is $password<br>";
echo "Your url is " . $row['url'] . "<br>";
} else if ($num == 0) {

A word of warning: when using variables from a form in a query, ALWAYS use addslashes on the variable first. Otherwise, hackers can exploit your form to manipulate your database.
Note: this does not apply if magic_quotes_gpc is enabled.
See http://www.php.net/manual/en/function.addslashes.php and http://www.php.net/manual/en/configuration.php#ini.magic-quotes-gpc

For what it's worth, I tend to use urlencode() folloed by str_replace() to change the % into &. It makes your database less easy to use directly, since characters have been encoded, but it catches all SQL metacharacters rather nicely. It does, of course, slow things down slightly, since you'll need to run all strings through an encode/decode function, but speed isn't *everything*.

While on the subject of security, MySQL and Postgresql support a one-way hash function or two, which is worth using if you're always dealing with plain passwords, or else there's a JScript MD5 function available from the web, which allows you to create a fairly secure challenge/response system which works pretty much whenever the browser supports JScript.

If you are creating a challenge/response system, then you can either store the plain password in your database, or else store an intermediate hash - take a look at the RFCs for CRAM-MD5 and DIGEST-MD5 to see more details. I'll post some code if people are interested.

Finally, bear in mind you'll need some cryptographic component of the URL to enforce that URLs cannot be used without having logged in - again, DIGEST-MD5 gives a lot of hints on how to implement this, but whenever I have, a "replay attack" (sending a snooped request twice, a common attack) and a "refresh" (use hitting Refresh or Reload in their browser) are indistinguishable, which is a pain.

Using addslashes is actually much more efficient than using a custom-written encoding routine. There's also a new mysql_quote function, although I don't know what it does differently. addslashes quotes ',",, and NULL so that the values you add to the database will be preserved, while preventing loopholes. If you write your own encode function, you have to decode when you retrieve data. If you use addslashes, you don't have to, and I assure you, it's just as secure. If you have to call stripslashes on data that comes from a MySQL database, chances are you're using magic_quotes_gpc and addslashes.