Create MySQL Injection Free Secure Login System in PHP - Subin's Blog

2/27/2016
CreateMySQLInjectionfreeSecureLoginSysteminPHPSubin'sBlog
Subin's Blog
A 16 Year Old Hacker
BLOG
PROJECTS
WEB
OS
ASK
SHORT POSTS
Create MySQL Injection

free Secure Login System
in PHP
Home Program CSS Create MySQL Injection free Secure Login System in PHP
Published August 7, 2013
Updated September 24, 2015
Hash, Injection, PDO, Secure
Subscribe
There were a lot of people who
Email Address
created tutorials to create a

PHPLogin System. But they were all
vulnerable to MySQLInjection. In this
Subscribe
post I'm going to demonstrate a

login system free of this
vulnerability. It is very secure. There
are mysqliand PDOin PHPto escape
http://subinsb.com/phpsecureloginsystem
Follow Me
1/17
2/27/2016
are mysqliand PDOin PHPto escape
Follow Me
these injections. We are going to use

PDO (PHP Data Object).
DOWNLOAD
DEMO
UPDATE - logSys
There is a new, free, better Advanced
Login System which you can check
out here.
First of all create a file named
login.php, home.php, logout.php
Create Users Table

For storing user information you
have to create a table named users.
Here is the SQLcode to create the
table.
CREATETABLEIFNOTEXISTSùsers`
ìdìnt(11)NOTNULLAUTO_INCREMENT
ùsername`textNOTNULL,
`password`textNOTNULL,
`psalt`textNOTNULL,
Popular
Posts
1. PHP Secure,
Advanced
Login
System
2. How To
Create A
Simple Web
Crawler in
PHP
)ENGINE=MyISAMDEFAULTCHARSET=latin1AUTO_INCREMENT
PRIMARYKEY(ìd`)
3. Create
MySQL
1. The column usernameis to
Injection
This e-mail is used as the
free Secure
Login
username.
System in
store the e-mailof the user.
2. The column passwordis to

store user's password which
PHP
4. Record,
Play,
2/17
2/27/2016
Play,
will be heavily encrypted
Download
Microphone
using SHA256.
3. The column psaltcontains a
Sound With
random text to check if
HTML5
5. Implement
password is true.
Now we should add a user to the
5 Star
table. Execute the following
Rating
System
SQLcode to create a user.
With PHP &

JavaScript
6. Sample
INSERTINTOùsers`(
ìd`,
Page
ùsername`,
7. Default TTL
(Time To
`password`,
`psalt`
NULL,
Live) Values
of Different
'subins2000@gmail.com',
OS
)VALUES(
'4f8ee01c497c8a7d6f44334dc15bd44fe5acea9aed07f67e34a22ec490cfced1'
8. Uploading
's*vl%/?s8b*b4}b/w%w4'
An Image
);
Using AJAX
In jQuery
With PHP
The user is inserted with the
9. How To Set
following values:
Same
Cookie On
login.php
Different
Create a login form :
Domains
10. Make A
Blank
Template /
<formmethod="POST"action="login.php"
HTML Page
In Blogger
<tablewidth="300"cellpadding="4"
<tr><td><tdcolspan="3"><strong>
<tr><tdwidth="78">EMail</td><td
<tr><td>Password</td><td>:</td><td><input
<tr><td></td><td></td><td><input
</table>
LoginSystemprovidedby<atarget
</form>
Pageviews
854,174
3/17
2/27/2016
</form>
Now we should add the PHPcode to

check whether the usernameand
passwordis correct. You should add
the PHPcode before </form> we just
added in login.php.
<?
Donate
A donation will
help me maintain
the site and all my
projects. So, please
help...
session_start();
if($_SESSION['user']!=''){header(
$dbh=newPDO('mysql:dbname=db;host=127.0.0.1'
$email=$_POST['mail'];
$password=$_POST['pass'];
if(isset($_POST)&&$email!=''&&
$sql=$dbh>prepare("SELECTid,password,psaltFROMusersWHEREusername=?"
$sql>execute(array($email));
while($r=$sql>fetch()){
$p=$r['password'];
$p_salt=$r['psalt'];
$id=$r['id'];
}
$site_salt="subinsblogsalt";/*CommonSaltusedforpasswordstoringonsite.
$salted_hash=hash('sha256',$password
if($p==$salted_hash){
$_SESSION['user']=$id;
header("Location:home.php");
}else{
echo"<h2>Username/PasswordisIncorrect.</h2>"
}
}
?>
home.php
<html><head></head>
<body>
4/17
2/27/2016
<?
session_start();
if($_SESSION['user']==''){
header("Location:login.php");
}else{
$dbh=newPDO('mysql:dbname=db;host=127.0.0.1'
$sql=$dbh>prepare("SELECT*FROMusersWHEREid=?"
$sql>execute(array($_SESSION['user'
while($r=$sql>fetch()){
echo"<center><h2>Hello,".$r['username'
}
}
?>
</body>
</html>
logout.php
This file is simple. Just add the
following :
<?
session_start();
session_destroy();
?>
Now login using username as

subins2000@gmail.comand
password as subinsiby. You will be
redirected to home.phpand it will
say the following:
5/17
2/27/2016
register.php
What's logging in without registering
? Here's a sample Registration page :
<?
session_start();
if($_SESSION['user']!=''){
header("Location:home.php");
}
?>
<!DOCTYPEhtml>
<html>
<head></head>
<body>
<formaction="register.php"method
<label>EMail<inputname="user"
<label>Password<inputname="pass"
<buttonname="submit">Register</button>
</form>
<?
if(isset($_POST['submit'])){
$musername="root";
$mpassword="backstreetboys";
$hostname="127.0.0.1";
$db="p";
$port=3306;
$dbh=newPDO('mysql:dbname='.$db
if(isset($_POST['user'])&&isset
$password=$_POST['pass'];
$sql=$dbh>prepare("SELECTCOUNT(*)FROMùsers`WHEREùsername`=?"
$sql>execute(array($_POST['user'
if($sql>fetchColumn()!=0){
die("UserExists");
}else{
functionrand_string($length
$str="";
$chars="subinsblogabcdefghijklmanopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXY
$size=strlen($chars);
for($i=0;$i<$length;$i++)
6/17
2/27/2016
for($i=0;$i<$length;$i++)
$str.=$chars[rand(0,$size
}
return$str;/*http://subinsb.com/phpgeneraterandomstring*/
}
$p_salt=rand_string(20);/*http://subinsb.com/phpgeneraterandomstri
$site_salt="subinsblogsalt";
$salted_hash=hash('sha256'
$sql=$dbh>prepare("INSERTINTOùsers`(ìd`,ùsername`,`password`,`p
$sql>execute(array($_POST['user'
echo"SuccessfullyRegistered."
}
}
}
?>
</body>
</html>
Note to change the Database

credentials on above code.
This login system is totally
99%secure. It's very hard to crack for
a hacker and it's completely MySQL
Injection free. It took me less than 1
hour to create this system and create
this post. Happy Logging. If you have
any problems/suggestions/feedbacks
just comment. I will help you.
Previous Post
Better Google Chrome History Page
Next Post
Setting Iframe height to its content
7/17
2/27/2016
Setting Iframe height to its content

height using Javascript
Comments
Community
1
Login
Share
Recommend
SortbyBest
Jointhediscussion
s.shivasurya
2yearsago
andwecouldusedifferent
usersformysqldb
connectiontoenhance
security!imeanproviding
properprivilideges!
4
Reply Share
Rassell 19daysago
Errordirectingtohomepage.
Hiaftersetting
session_start()tofalse,and
implementsession_start()
starttoallpages.Istillgetan
errorof:
Warning:Cannotmodify
headerinformationheaders
alreadysentby(output
startedat
/customers/2/a/e/muslimnikkah.co.uk/httpd.www/F...
in
online448Warning:Cannot
modifyheaderinformation
headersalreadysentby
8/17
2/27/2016
headersalreadysentby
(outputstartedat
in
online1060
Reply Share
SubinSiby
Author >Rassell
18daysago
TryenablingPHP
shorttags:
http://stackoverflow.com/quest...
Reply
Share
Rassell
>Subin
Siby
17
daysago
Ibelievethe
problemwas
thatineededto
addob_start()
atthetopof
thepage,
howevernowi
findwhenever
theuserenters
thetoken.
he/shewilljust
beredirected
tothelogin
pageandafter
theyclicklogin
itwilljustask
themtoenter
thetoken
again.
Reply
Share
Subin
Siby
Author
>
9/17
2/27/2016
>
Rassell
17
days
ago
Token
?What
token?

Reply
Share
Rassell
>
Subin
Siby
16
days
ago
Hi
Subin,
How
wouldi
go
about
the
user
getting
a
verification
linkvia
email?

Reply
Share
Subin
Siby
Author
>
Rassell
16
days
ago
Please
askthis
inthe
10/17
2/27/2016
inthe
comments
section
of
http://subinsb.com/php
logsys
I'llreply
toyou
there.

Reply
Share
Rassell
>
Subin
Siby
16
days
ago
There
does
not
seem
tobea
comment
section
onthe
page

Reply
Share
Subin
Siby
Author
>
Rassell
16
days
ago
Ihave
fixedit.
The
comments
now
11/17
2/27/2016
now
show
up.So,
Please
askthis
inthe
comments
section
of
http://subinsb.com/php
logsys

Reply
Share
ErkanDursun
3monthsago
$site_salt="subinsblogsalt"
hi,whatissite_salt?ididnt
understandthatwhatis
it...andidontknowwhati
changewithsite_salt?...And
thankyouforurthisbasic
loginscript...
Reply Share
SubinSiby
Author >Erkan
Dursun
3monthsago
Passwordis
encryptedbyusing
twosalts:
1.Acommonsitesalt
Asaltspecifictothe
website.Itshouldbe
uniqueandshouldn't
bechangedonceset
2.Randomly
GeneratedSaltA
saltisgeneratedby
usingrandomletters.
Thissaltissavedto
DBandisuniquefor
eachuser.
12/17
2/27/2016
eachuser.
Thedifference
betweenthe2saltsis
thatSiteSaltis
commonforallusers.
Reply
Share
Erkan
Dursun
>Subin
Siby
3
months
ago
thankyoufor
yourreply,i
worrythat
whichlogin
systemu
prefer?ihave
simpleweb
site,iwilldo
adminpanelfor
mysiteabout
insert,update,
deletecontents
fromadmin
panel...andi
wannauseur
login
system...u
preferthis
basiclogin
scriptorur
otherscript
thatlogsys...
Reply
Share
Subin
Siby
Author
>
Erkan
Dursun
3
months
ago
13/17
2/27/2016
I
recommend
using
logSys,
because
ithas
advan
ed
features,
more
better
security,
admin
panel
and
more...
This
postis
for
getting
intothe
rootof
a
MySQL
injection
free
login
system
andI
wouldn't
recommend
itona
professional
website.

Reply
Share
Agung 3monthsago
Hellothanksforhelp..ihave
problemtherethescreen
capture,mayyoutellmewhat
iswrong?thankyou
14/17
2/27/2016
iswrong?thankyou
nicetoknowyou
Reply Share
SubinSiby
Author >Agung
3monthsago
EnablePHPShort
Tag:
http://stackoverflow.com/quest...
Reply
Share
Logx 5monthsago
Ihaveaminiwebstore:D
onlyshowproducts...butI
wantasuperstronglogin
systemlikesuperman:Dand
Ifoundyoursolution
Reply Share
SubinSiby
Author >Logx
5monthsago
Thereisabetter,
advancedlogin
systemwithmany
features(Open
SharingisCaring
LongLiveFree&OpenSourceSoftwares
15/17
2/27/2016
Site Links
Me
About
Facebook
Donate
@SubinSiby
Search
+SubinSiby
Sitemap
RSS
About.Me
Colophon
This blog is created, written and maintained by Subin Siby. It is built on
WordPress and hosted for free by OpenShift. This blog is continuing,
because of the support from you and the donations from others.
I'm not making any money by annoying Ads. So, Please be generous to
consider a donation if you found something helpful.
:-)
Recommended for you
16/17
2/27/2016
Uploading An Image
Using AJAX In jQuery
With PHP - Subin's Blog
Check If a Number is
Odd Or Even In PHP &
JavaScript - Subin's Blog
Send E-Mails Via SMTP

Server In PHP - GMail &
Outlook - Subin's Blog
subinsb.com
subinsb.com
subinsb.com
AddThis
17/17

Create MySQL Injection Free Secure Login System in PHP - Subin's Blog

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Create MySQL Injection Free Secure Login System in PHP - Subin's Blog

Hochgeladen von

Copyright:

Verfügbare Formate

2/27/2016