[Tutorial] Creating a basic user control panel

[Tutorial] Creating a basic user control panel - Printable Version

+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Scripting and Plugins (https://sampforum.blast.hk/forumdisplay.php?fid=8)
+--- Forum: Scripting Help (https://sampforum.blast.hk/forumdisplay.php?fid=12)
+---- Forum: Tutorials (https://sampforum.blast.hk/forumdisplay.php?fid=70)
+---- Thread: [Tutorial] Creating a basic user control panel (/showthread.php?tid=290824)

Pages: 1 2 3

Creating a basic user control panel - System64 - 17.10.2011

Introduction

Hi all,
After one-two week if finshed my UCP, most of it learn from phpAcademy (On *******, visit the!)
and I decide to make tutorial on this forum because I see a lot of people need it! It's pretty easy, just a few steps...
Let's start!

Features

Login form
Showing user stats
Logout form

Starting our user control panel

First of all, be sure that you have XAMPP (Or WAMP, I use XAMPP) and create in htdocs folder called eq. ucp
In that folder we will creat our files!

Page Name: config.php
Use: Connecting to MySQL server and selecting the database
Language: PHP

PHP код:



<?php


    $connect = mysql_connect("localhost", "root", "") or die("I can't connect to the server!"); //connecting to mysql, change setting if you have to

    mysql_select_db("sa:mp") or die ("I can't find the database!"); //selecting database, change name to your database name!

    

    function sanitize($string) //function for sanitize from xss and mysql and csrf... Thanks to XFlawless

    { 

        $string = strip_tags($string); 

        $string = mysql_real_escape_string($string); 

        return $string; 

    }


?>

Page Name: login.php you can also call it index.php if you want just login and showing stats in your ucp...
Use: Creating form for loging user
Language: PHP

PHP код:



<?php


include("config.php"); //including our config.php where is connecting to mysql...

session_start(); //starting session for profile.php (Dunno how to explain better) look little down

error_reporting(0); //without this we will always get some stupid notice that variable isn't defined....


$submit = $_POST['submit']; //variable for submit button, in this variable we save button that player press in <input type='submit' name="submit" value='Login' />....

$username = sanitize($_POST['username']); //variable for username, in this variable we save text that user type in <input type="text" name="username"....

$password = sanitize($_POST['password']); //variable for password, in this variable we save text that user type in <input type="password" name="password"....


if($submit) //if he press submit button

{    

    if($username && $password) //if he type both of username and password not just one of them

    {

        $query = mysql_query("SELECT username, password FROM users WHERE username = '$username'"); //selecting user name and password, change it to your field names,  chage users to your table name, $username means username that he type...

        if(mysql_num_rows($query) == 1) //if user exists

        {

            while($row = mysql_fetch_assoc($query)) //loop thought table that we select in mysql_query

            {

                $dbusername = $row['username']; //setting dbusername as variable from table, change 'username' to your field!

                $dbpassword = $row['password']; //setting dbpassword as variable from table, change 'password' to your field!

            }

            if($username == $dbusername && $password == $dbpassword) //if username is same as one from table and if password is the same as one from table...

            {

                $_SESSION['username'] = $dbusername; //setting session username to one from table, this is useful if you login, that restart your browser and than you go in url where is your profile.php... Anyway this is useful :D

                echo header('location: profile.php'); //redirecting user to his profile page (profile.php)

            }

            else echo "Wrong password!"; //else if user type wrong password he will get this...

        }

        else echo "Username doesn't exist!"; //if username doesn't exist in table user will get this

    }

    else echo "Type name and password!"; //else if user doesn't type all fields he will get this...

}


?>

Put this in bottom of login.php!

Код HTML:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Basic UCP</title>
//here you can add your design (Remove this line)
<form action='login.php' method='POST'> 
<input type="text" name="username" value='<?php echo $username?>'/> 
<input type="password" name="password"/> 
<input type='submit' name="submit" value='Login' /> 
</form>
</head>
</html>

Page Name: logout.php
Use: Logout user
Language: PHP

PHP код:



<?php


include("config.php"); //including our config.php

session_start(); //starting session

session_destroy(); //destroying it

header('location: login.php'); //redirecting user to login.php


?>

Page Name: profile.php
Use: Showing users stats...
Language: PHP

PHP код:



<?php


include("config.php"); //including our config.php

session_start(); //starting session

error_reporting(0);


if(isset($_SESSION['username'])) //if session is set, so if user is logged in...

{

    $username = $_SESSION['username']; //setting variable username as one from session

    $query = mysql_query("SELECT * FROM users WHERE username = '$username'");  //selecting all from table users where username is name that your is loged in

    echo "Welcome ".$_SESSION['username']; //saying welcome to user!

    while($row = mysql_fetch_assoc($query)) //looping thousgt table to get informations

    {

        $name = $row['username']; //selecting user name, change 'username' to your field name

        $money = $row['money']; //selecting user money, change 'money' to your field name

        $score = $row['score']; //selecting user score, change 'score' to your field name

        $kills = $row['kills']; //selecting user kills, change 'kills' to your field name

        $deaths = $row['deaths']; //selecting user deaths, change 'deaths' to your field name

    }

    echo "<br><br>Name: ".$name."<br> Money: ".$money."<br> Score: ".$score."<br> Kills: ".$kills."<br> Deaths: ".$deaths;

}

else header('location: login.php'); //if user isn't loged in it will redirect him on login.php


?>

Put this in bottom of profile.php!

Код HTML:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Basic UCP</title>
</head>
</html>

Pictures

Ok, here are some pictures of my user control panel...

Login
Profile

Re: Creating a basic user control panel - Lorenc_ - 17.10.2011

mind if someone tries a sql injection on this?

Re: Creating a basic user control panel - Sinner - 17.10.2011

Quote:

Originally Posted by Lorenc_

mind if someone tries a sql injection on this?

Exactly, use mysql_real_escape_string(); for data you use to run queries with at the very least.
Good tutorial though!

Re: Creating a basic user control panel - System64 - 17.10.2011

To be honest, I don't know what it is, so I don't care about that xD

Re: Creating a basic user control panel - Sinner - 17.10.2011

Quote:

Originally Posted by System64

To be honest, I don't know what it is, so I don't care about that xD

You'll care about it if someone erases your entire database, or makes himself admin. I agree it doesn't have to be included in a tutorial but it wouldn't hurt to mention it.

http://en.wikipedia.org/wiki/SQL_injection

Re: Creating a basic user control panel - System64 - 17.10.2011

@Sinner:
You mean soemthing liek this

PHP код:



mysql_real_escape_string($username) = $_POST['username']; //variable for username, in this variable we save text that user type in <input type="text" name="username"....

Re: Creating a basic user control panel - [HiC]TheKiller - 17.10.2011

Quote:

Originally Posted by System64

@Sinner:
You mean soemthing liek this

PHP Code:



mysql_real_escape_string($username) = $_POST['username']; //variable for username, in this variable we save text that user type in <input type="text" name="username"....

Also add htmlentities to avoid XSS injections.

Re: Creating a basic user control panel - System64 - 17.10.2011

@TK:
Than it should be:

PHP Code:



htmlentities(mysql_real_escape_string($username)) = $_POST['username']; //variable for username, in this variable we save text that user type in <input type="text" name="username"...

Re: Creating a basic user control panel - Lorenc_ - 17.10.2011

Quote:

Originally Posted by System64

To be honest, I don't know what it is, so I don't care about that xD

Then you don't care about the community's security and therefore a tutorial like this isn't recommended. Go and look at TheKillers php part in his mysql thread.

Re: Creating a basic user control panel - System64 - 17.10.2011

Quote:

Originally Posted by Lorenc_

Then you don't care about the community's security and therefore a tutorial like this isn't recommended. Go and look at TheKillers php part in his mysql thread.

I will ask my friend about SQL Injection so I will fix it, thanks for reporting guys

Re: Creating a basic user control panel - GloomY - 17.10.2011

Very usefull, thank you very much!

Re: Creating a basic user control panel - System64 - 17.10.2011

Quote:

Originally Posted by Haxby

Very usefull, thank you very much!

Thank you

Tomorrow I'll fix SQL Injection however...

Re: Creating a basic user control panel - System64 - 17.10.2011

PHP Code:



$username = Sanitize($_POST['username']);

I have to do that just for username or for password too?

Edit: I've add it, look at the script now, did i do something wrong?

Re: Creating a basic user control panel - Baboon - 17.10.2011

Quote:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Basic UCP</title>
//here you can add your design (Remove this line)
<form action='login.php' method='POST'>
<input type="text" name="username" value='<?php echo $username?>'/>
<input type="password" name="password"/>
<input type='submit' name="submit" value='Login' />
</form>
</body>
</html>

check the body....
Oh and what about the head?

Re: Creating a basic user control panel - System64 - 17.10.2011

Quote:

Originally Posted by timothyinthehouse

check the body....
Oh and what about the head?

my bad I forgot to close tags... fixed

Re: Creating a basic user control panel - XFlawless - 18.10.2011

PHP Code:



<input type='submit' name="submit" value='Login' /> 

$submit = $_POST['submit']; //variable for submit button, in this variable we save button that player press in <input type='submit' name="submit" value='Login' />....

Why in the world do you need a submit variable it doesn't store any result

PHP Code:



if($submit) //if he press submit button 

{     

    if($username && $password) //if he type both of username and password not just one of them 

    { 

        $query = mysql_query("SELECT username, password FROM users WHERE username = '$username'"); //selecting user name and password, change it to your field names,  chage users to your table name, $username means username that he type... 

        if(mysql_num_rows($query) == 1) //if user exists 

        { 

            while($row = mysql_fetch_assoc($query)) //loop thought table that we select in mysql_query 

            { 

                $dbusername = $row['username']; //setting dbusername as variable from table, change 'username' to your field! 

                $dbpassword = $row['password']; //setting dbpassword as variable from table, change 'password' to your field! 

            } 

            if($username == $dbusername && $password == $dbpassword) //if username is same as one from table and if password is the same as one from table... 

            { 

                $_SESSION['username'] = $dbusername; //setting session username to one from table, this is useful if you login, that restart your browser and than you go in url where is your profile.php... Anyway this is useful :D 

                echo header('location: profile.php'); //redirecting user to his profile page (profile.php) 

            } 

            else echo "Wrong password!"; //else if user type wrong password he will get this... 

        } 

        else echo "Username doesn't exist!"; //if username doesn't exist in table user will get this 

    } 

    else echo "Type name and password!"; //else if user doesn't type all fields he will get this... 

}

You are doing it the messed way, "SELECT username, password from users WHERE username = {$username} AND password = {$password}" would do it.

PHP Code:



if($username == $dbusername && $password == $dbpassword) 

{ 

       session_regenerate_id();// create another session id to prevent from session fixation.

       $_SESSION['username'] = $dbusername; // From here it's vulnerable to session fixation.

       header('location: profile.php'); 

}

Use Jquery plugins like Flowtools form validator, they are easy to explain and validate form.

Re: Creating a basic user control panel - System64 - 18.10.2011

@XFawless - submit because it will always show tyoe name and password

2. Why complicating?

Re: Creating a basic user control panel - XFlawless - 18.10.2011

Quote:

Originally Posted by System64

@XFawless - submit because it will always show type name and password

Submit attribute in html will forward the input content to form action. There's no need for it. If you are not aware of it better go take some tutorials about it.

Re: Creating a basic user control panel - System64 - 18.10.2011

Quote:

Originally Posted by XFlawless

Submit attribute in html will forward the input content to form action. There's no need for it. If you are not aware of it better go take some tutorials about it.

When I move if submit... It always show type username and password.... when I put it, it doesn't

Re: Creating a basic user control panel - DiNorscio - 05.04.2012

This is create on computer or ?

I create on computer and how to upload on web page, where?