[PHP, MySQL] SLS - Simple Login System v1

Hello,

Made this simple script... more edits will be available soon with much more features such as AdminCP and user edit.

This is 100% from scratch, it uses SESSION's not cookies since cookies can be Hijacked..
And its also uses MySQL to store all its info. I have included a db

Features:

• Login
• - Updates users coins/points everytime user logs in
• - Starts $_SESSION
• Profile
• - Displays how much coins you have
• - Says the logout link
• Register
• - Checks if user already exists.
• - Checks if email already exists.
• - Says error if a field is not filled in.
• - SHA-1 hashes passwords
• - Checks if email has a @ symbol
• Logout
• - Kills the $_SESSION

Demo: SLS - Index
Download: SLS v1.zip (3.78 KB)

More edits will be released.

What are coins for? Making a shop for this system? Nice release XD!

Quote:

---

Originally Posted by tycob

What are coins for? Making a shop for this system? Nice release XD!

---

Idk rewards, got bored. More with coin handling will be done in v2.
Anyway features for v2:

Coming up for v2:

• Banning system (100% works)
• Admin CP (%50)
• Moods and avatars
• Profiles
• Edit user details

Make sure you add in walls like facebook and a shoutbox XD!! Sorry bout that, just giving suggestions.

Looks nicely done.

Good job.

In the registration form, add AJAX or the post variable in each input textbox, so if the registration fails, the user doesn't have to keep re-entering the data.

AJAX would be better, imo. But whatever.

EDIT: Somethings you may want to work on.
It looks like you just ripped that login system from PHP Academy and called it your own, but that's beyond the point.

Call forms by using

PHP Code:

---

if(isset($_POST['submit'])){} 


---

And put all of the functions inside of that. Don't use mysql_num_rows, or whatever the hell you did.

Also, ALWAYS use mysql_real_escape_string(); for all variables that are going in/out of your database. Mostly in, but just to be safe, do both.


Everything seems okay, besides the login script, and the fact that you're not cleaning variables.

Quote:

---

Originally Posted by Aaron

In the registration form, add AJAX or the post variable in each input textbox, so if the registration fails, the user doesn't have to keep re-entering the data.

AJAX would be better, imo. But whatever.

EDIT: Somethings you may want to work on.
It looks like you just ripped that login system from PHP Academy and called it your own, but that's beyond the point.

Call forms by using

PHP Code:

---

if(isset($_POST['submit'])){} 


---

And put all of the functions inside of that. Don't use mysql_num_rows, or whatever the hell you did.

Also, ALWAYS use mysql_real_escape_string(); for all variables that are going in/out of your database. Mostly in, but just to be safe, do both.


Everything seems okay, besides the login script, and the fact that you're not cleaning variables.

---

Not necessarily.

Making Wrong Code Look Wrong - Joel on Software

Because I'm going to read that article.

Quote:

---

Originally Posted by Aaron

Because I'm going to read that article.

---

You should. Always sterilize is bad because it's difficult during a code review to spot bugs. If you always sterilize things before they go into a SQL query, you may be spitting them out on the page and think ah, it's not a SQL query so it's safe.. well hello XSS and your site has just been hacked. You may be using them to open a file on disk and the argument specifies path data, and now you've just handed them full read access to your disk (probably), but just securing the input before a query wouldn't make such an error blatantly obvious while writing code nor while reading it.

The point of that article is precisely how you can achieve knowing when you need to sterilize inputs just by a simple naming convention (a take on Hungarian Notation), input from a trusted source is automatically fine, and input from a (potentially) untrusted source is obvious from the code itself, not from state, and so you can very easily spot potential security bugs.

Reading won't hurt you. You might just learn something, too.

Quote:

---

Originally Posted by Aaron

In the registration form, add AJAX or the post variable in each input textbox, so if the registration fails, the user doesn't have to keep re-entering the data.

AJAX would be better, imo. But whatever.

EDIT: Somethings you may want to work on.
It looks like you just ripped that login system from PHP Academy and called it your own, but that's beyond the point.

Call forms by using

PHP Code:

---

if(isset($_POST['submit'])){} 


---

And put all of the functions inside of that. Don't use mysql_num_rows, or whatever the hell you did.

Also, ALWAYS use mysql_real_escape_string(); for all variables that are going in/out of your database. Mostly in, but just to be safe, do both.


Everything seems okay, besides the login script, and the fact that you're not cleaning variables.

---

Yeah, It was coded very quick since it only took me about a day or even 5 hours.

I mostly need to work on making my code neater and security also noob friendly.

Btw, I find YouTube tuts hard to follow so I actually do research. :)

woah lol that is to weird, but I like it so thumbs up :D

I've read Aaron's post and have secured my SLS system greatly. Now called Sophisticated Login System

--

Apart from that, I've added a style to my system and added: AdminCP (Secured and authenticates rank)
Edit pass and email successfully also added 'What are coins'.

And demo here:
Winterpartys.ORG

http://img27.imageshack.us/img27/5691/sitepaget.png

I'll release soon, just I'll finish PM system/start it and finish AdminCP

---

Also fixed the IP ban and user ban and I know this is very simple but It never logged the ip so now it does :)