Blog 13 – Website Start

This project is a proof of concept project for an infrastructure and networking major. To make a whole website would turn it into a Software Development project. Therefore I have decided to create a 2 page site that will demonstrate the functionality of the system I have created. I have decided that having a login page will be needed identify a teacher. It will be used to identify their courses and classes. The second page will display the teachers courses, classes and the attendance of the class. I intend to have a table shown at the top with the courses and when the teacher clicks on a course a table loads below it with the classes in that course. Then another table is loaded below it, when they click on a class, that will show the classes attendance.
In this blog I will go over the creating of the Login page.

Before I started developing the website I needed a program to develop it in. I could use NotePad++, but I find it hard to use as it only has basic features. It also has no form of error checking. I looked into free solutions. One that appeared to look good was Microsoft Expressions. I downloaded and tested it. I found that it was outdated and had very little support for PHP. This is due to it is now integrated into Visual Studio, but as a paid edition. In the end I settled on the open source Eclipse. They have a PHP version of their development software. I downloaded and installed it. It worked well with PHP and had error checking. The layout was simple enough to manage. To keep the local files I edited in Eclipse up to date on the web server I used WinSCP and it’s auto synchronize function.

Now that I had a developer software I went looked online for examples of PHP login system. I found a PHP – MySQL Login tutorial on Tutorials Point. This had the features that I wanted to implement. It used PHP sessions to keep the user logged in and provided a way to store data in the session. It also had code to logout the user. But the reason I went for this tutorial as my example to work from is it had code to verify the session. This meant that if a user hadn’t logged in but typed in the exact URL of one of the pages behind the login wall, they would be instantly redirected back to the login page.

I copied the code into PHP files I had created in Eclipse. It was then just a simple process of modifying the MySQL connection details and changing the queries to match the database. I then added a test account into the database. Once this was done I tested the login and the session handling.
While modifying the login.php code I noticed it had no was to stop SQL injection. This is when a person puts code into text inputs. In some cases the website or database will preform the codes action. This can allow a person to gain access to sensitive data. When looking for example login systems I can across this a tutorial called PHP Login Form with Sessions. In its login code it had a method to combat SQL injection. For someone to SQL inject they have to use slashes, so so stop it you remove any slashes. Below is the section I added;

 // To protect MySQL injection for Security purpose
 $myusername = stripslashes($myusername);
 $mypassword = stripslashes($mypassword);

 

Edit;

Since writing this blog I have been updating it with any additions I have made to the code. I have changed the queries from standard select statements to ones that now call there respective procedure. I’ve also changed the MySQL connection account from the admin one to the user account with just execute permissions.
I have also added an index page.

<html>

<head>
<meta charset="utf-8">
<meta http-equiv="refresh" content="0; url=login.php">
<title>index</title>
</head>

<body>
</body>

</html>

When a user visits the website, the web server will direct them to the index page. Before I didn’t have one so you will have to type in the URL + /login.php. With the above index page it automatically redirects the user to the login page.

Code;

Current Final Version of the code as of 28/10/2016. I have *** out any sensitive code.

config.php

<?php

$host="******.********.ap-southeast-2.rds.amazonaws.com";
$port=3306;
$socket="";
$user="**********";
$password="**********";
$dbname="prjrfid701";

// Create connection
$conn = mysqli_connect($host, $user, $password, $dbname, $port, $socket);
// Check connection
if (!$conn) {
 die("Connection failed: " . mysqli_connect_error());
}

?>

login.php

<?php

error_reporting(E_ERROR | E_WARNING | E_PARSE);

require_once("DB files/config.php");
 session_start();
 
 if($_SERVER["REQUEST_METHOD"] == "POST") {
 // username and password sent from form 
 
 $myusername = $_REQUEST['username'];
 $mypassword = $_REQUEST['password'];
 
 // To protect MySQL injection for Security purpose
 $myusername = stripslashes($myusername);
 $mypassword = stripslashes($mypassword);
 
 $loginsql = "CALL SelectUserLogin (\"$myusername\",\"$mypassword\")";
 $result = mysqli_query($conn, $loginsql);
 $row = mysqli_fetch_assoc($result);

// If result matched $myusername and $mypassword, table row must be 1 row
 
 if(mysqli_num_rows($result) == 1) {
 $_SESSION['login_user'] = $myusername;
 $_SESSION['user_id'] = $row[ID];
 header("location:home.php");
 }else {
 $error = "Your Login Name or Password is invalid";
 }
 }
?>
<html>
 
 <head>
 <title>Login Page</title>
 <style type = "text/css">
 body {
 font-family:Arial, Helvetica, sans-serif;
 font-size:14px;
 }
 
 label {
 font-weight:bold;
 width:100px;
 font-size:14px;
 }
 
 .box {
 border:#666666 solid 1px;
 }
 .show{
 display:box; 
 }
 .hide{
 display:none;
 }
 </style>
 
 </head>
 
 <body bgcolor = "#FFFFFF">
 
Login

 

UserName :
Password :

 

</div> </div> </div> </body> </html>

^^ in the above text is an example of code injection. I copied in text but the browser is reading it and trying to turn it into a page. This works the same with MySQL queries.

session.php

<?php
 require_once('DB files/config.php');
 session_start();
 
 $user_check = $_SESSION['login_user'];
 
 $ses_sql = mysqli_query($conn,"Call CheckUserLogin \"$user_check\"");
 
 $row = mysqli_fetch_assoc($ses_sql);
 
 if(!isset($_SESSION['login_user'])){
 header("location:login.php");
 }
?>

 

Advertisements

One thought on “Blog 13 – Website Start

  1. Pingback: Blog 15 – Website continued | Digital Insaniti

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s