0

I just want to make my web like facebook, twitter, etc. where every user has its own page. Is there any easy way to do it without bothering internet security.

From my search on net, I thought php, mysqli, html5,CSS is a way to do. But i don't know how can it be done. It is my first try....

I made database and put

uid..username...password..Uurl(Userurl)

-- phpMyAdmin SQL Dump
-- version 4.1.14
-- http://www.phpmyadmin.net
--
-- Host: 127.0.0.1
-- Erstellungszeit: 11. Jul 2016 um 14:12
-- Server Version: 5.6.17
-- PHP-Version: 5.5.12

SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO";
SET time_zone = "+00:00";


/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;

--
-- Datenbank: `demos`
--

-- --------------------------------------------------------

--
-- Tabellenstruktur für Tabelle `users`
--

CREATE TABLE IF NOT EXISTS `users` (
  `uid` int(11) NOT NULL AUTO_INCREMENT,
  `username` varchar(50) NOT NULL,
  `password` varchar(50) NOT NULL,
  `Uurl` varchar(200) NOT NULL,
  PRIMARY KEY (`uid`),
  UNIQUE KEY `username` (`username`)
) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=4 ;

--
-- Daten für Tabelle `users`
--

INSERT INTO `users` (`uid`, `username`, `password`, `Uurl`) VALUES
(2, 'test', '098f6bcd4621d373cade4e832627b4f6', 'de2bef8b980f92e688c369c45af82584'),
(3, 'demo1', 'fe01ce2a7fbac8fafaed7c982a04e229', '082b82c6e8fcfba13ac0abebcd391a5e');

/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;

login.php

<?php
    session_start();
    include("connection.php"); //Establishing connection with our database

    $error = ""; //Variable for storing our errors.
    if(isset($_POST["submit"]))
    {
        if(empty($_POST["username"]) || empty($_POST["password"]))
        {
            $error = "Both fields are required.";
        }else
        {
            // Define $username and $password
            $username=$_POST['username'];
            $password=$_POST['password'];

            // To protect from MySQL injection
            $username = stripslashes($username);
            $password = stripslashes($password);
            $username = mysqli_real_escape_string($db, $username);
            $password = mysqli_real_escape_string($db, $password);
            $password = md5($password);

            //Check username and password from database
            $sql="SELECT uid FROM users WHERE username='$username' and password='$password'";
            $result=mysqli_query($db,$sql);
            $row=mysqli_fetch_array($result,MYSQLI_ASSOC);

            //If username and password exist in our database then create a session.
            //Otherwise echo error.

            if(mysqli_num_rows($result) == 1)
            {
                $_SESSION['username'] = $username; // Initializing Session
                header("location: home.php"); // Redirecting To Other Page
            }else
            {
                $error = "Incorrect username or password.";
            }

        }
    }

?>

I think I need to change ...

            if(mysqli_num_rows($result) == 1)
            {
                $_SESSION['username'] = $username; // Initializing Session
                header("location: home.php"); // Redirecting To USER PAGE....

But I don't know how can I do it.

Any help? or better idea? I can post more code if required...

Shahgee
  • 3,303
  • 8
  • 49
  • 81
  • 1
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jul 11 '16 at 12:29
  • 1
    You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure) and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jul 11 '16 at 12:30
  • 1
    Your are using `MySQLi`, *great!*. Now start using [prepared statements](http://php.net/manual/en/mysqli.prepare.php)! – Script47 Jul 11 '16 at 12:30

0 Answers0