[MD5]

If you don't know exactly how to make a protected SQL login/ucp panel, you've come to the right place. But before we get started, we must ensure you know PHP to the point where you're sufficient with snippets of code and how to implement them. DISCLAIMER: I did not create this script, this was originally created by Callum Carmicheal

Step 1.

First we're going to start off by creating a folder named dep, in that folder; we'll make a file called "common.php", put the following code in it below, and input your server(s) saving variables. Be sure to put your correct saving variables exactly where you're supposed to put them.

Код:

<?php 
	// Check if the user is logged in and if not redirect to login.
	function checkLoginAndRedirect() {
		if(empty($_SESSION['user'])) {
			header('Location: login.php');
			die("Redirecting: login.php");
		}
	}
	
	// Check if user is logged in and redirect to dashboard if not login.
	function checkLoginAndRedirectToDashboard() {
		if(empty($_SESSION['user'])) {
			header('Location: login.php');
			die("Redirecting: login.php");
		} else {
			header('Location: dashboard.php');
			die("Redirecting: dashboard.php");
		}
	}
	
	// Get the username of signed in user
	function getUsername() {
		return htmlentities($_SESSION['user']['Your Player Name Variable Here'], ENT_QUOTES, 'UTF-8');
	}
	
	function getUser() {
		return $_SESSION['user'];
	}
	
	
	// TEST IF USER AND PASS AND THEN RETURN THE RESULT AS A BOOLEAN
	function validCreditentials($username, $password) {
		
		/* ======== GLOBAL SETTINGS ======== */
		global $dbHost;		global $dbUsername;   global $dbPassword;	global $dbName; 
		global $dbOptions;	global $dbTableBans;  global $dbTableData;  global $db;
		global $websiteContactEmail;
		/* ======== GLOBAL SETTINGS ======== */ 
		
		$sql = "
			SELECT player_NAME_VARIABLE, PLAYER_PASSWORD
			FROM $dbTableData 
			WHERE player_NAME_VARIABLE = :username AND PLAYER_PASSWORD = :password
			LIMIT 1";
		
		try {
			$query = $db->prepare($sql);
			$query->bindValue(':username', $username);
			$query->bindValue(':password', sha1($password));
			$query->execute();
		} catch(PDOException $ex) {
			die("PDO ERROR on validCreditentials " . $ex->getMessage());
			return false;
		}
		
		$row = $query->fetch(); // hmm
		if($row) { // User and Pass is valid
			return true;
		}
		return false;
	}
	
	function refreashUserInformation() {
		$userInformation = getUserTable(getUsername);
		
		if($userInformation == false) {
			return false;
		} else {
			$session['user'] = $userInformation;
		}
	}


?>

Step 2.

Now you're going to make a page called session.php, also in the folder dep; this will establish a successful connection to your MySQL database, or withdraw an error if something goes wrong. (nothing needed to get changed here)

Код:

<?php 
	include("settings.php");
	
	/* ======== GLOBAL SETTINGS ======== */
	global $dbHost;		global $dbUsername;   global $dbPassword;	global $dbName; 
	global $dbOptions;	global $dbTableBans;  global $dbTableData;  global $db;
	global $websiteContactEmail;
	/* ======== GLOBAL SETTINGS ======== */ 
	
	try {
		$db = new PDO("mysql:host={$dbHost};dbname={$dbName};charset=utf8", $dbUsername, $dbPassword, $dbOptions);
	} catch(PDOException $ex) {
		die("Database is currently offline, please contact the admistrator at " . $websiteContactEmail);
	}
	
	$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
	$db->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC);
	
	if(function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
		function undo_magic_quotes_gpc(&$array) {
			foreach($array as &$value) {
				if(is_array($value)) {
					undo_magic_quotes_gpc($value);
				} else {
					$value = stripcslashes($value);
				}
			}
		}
		
		undo_magic_quotes_gpc($_POST);
		undo_magic_quotes_gpc($_GET);
		undo_magic_quotes_gpc($_COOKIES);
	}
	
	header("Content-Type: text/html; charset=utf8");
	session_start();
?>

Step 3.

Your MySQL connection details will go in this file called (settings.php) and this is also in the folder dep; also added in the define for a contact email for shits and giggles.

Код:

<?php
	/* ======== GLOBAL SETTINGS ======== */
	global $dbHost;		global $dbUsername;   global $dbPassword;	global $dbName; 
	global $dbOptions;	global $dbTableBans;  global $dbTableData;  global $db;
	global $websiteContactEmail;
	/* ======== GLOBAL SETTINGS ======== */ 
	
	/* ======== DATABASE SETTINGS ======== */
	$dbHost			= "localhost";
	$dbUsername 	        = "user";
	$dbPassword 	        = "pass";
	$dbName 		        = "db_name";
	$dbOptions 		        = array(PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8');
	/* ======== DATABASE SETTINGS ======== */
	
	/* ======== WEBSITE SETTINGS ======== */
	$websiteContactEmail = "CONTACT@yourdomain.com";
	/* ======== WEBSITE SETTINGS ======== */

	
?>

Step 4.

Now you're going to make a file called (index.html) in the root of the folder, this will check if credentials are correct; and if so, redirect them to the dashboard and(or) login page again if incorrect.

Код:

<?php 
	require("dep/settings.php");
	require("dep/session.php");
	require("dep/common.php");
	
	checkLoginAndRedirectToDashboard();
?>

Step 5.

Now we're making a page called (login.php), this is where all of the processing of _POST comes in.

Код:

<?php 
	require("dep/settings.php");
	require("dep/session.php");
	require("dep/common.php");
	
	$loginError = false;
	$loginErrorDesc = "";
	if(!empty($_POST)) {
		// Get user sent data
		
		$username = $_POST['username'];
		$password = $_POST['password'];
		if(validCreditentials($username, $password)) {
			$userAccount = getUserTable($username);
			
			if($userAccount == false) {
				$loginError = true;
				$loginErrorDesc = "Could not retrieve account from Database, please try again later";
			} else {
				$_SESSION['user'] = $userAccount;
				
				header('Location: dashboard.php');
				die("Successfully logged in, redirecting to Dashboard.php");
			}
		} else {
			$loginError = true;
			$loginErrorDesc = "username or password is invalid";
		}
	}
	
	
?>

<!DOCTYPE html>
<head>
<?php 
		$Error_Message = '<strong>Error</strong> . $loginErrorDesc . ';
						
		
			if(isset($_POST)) {
				if($loginError) {
					echo $Error_Message; #Concluded in $Error_Message variable.
				}
			}
			?>
</head>

<body>

<form method="POST">
Username:
<input type="text" name="username"> <br />
Password:
<input type="password" name="password"><br />
<input type="submit" value="Submit">
</form>

</body>

Step 6.

Now we're going to make the (dashboard.php) that will also be in the root of your UCP. Add in your money variable and(or) other variables you want to display.

Код:

<?php 
	require("dep/settings.php");
	require("dep/session.php");
	require("dep/common.php");
	
	checkLoginAndRedirect(); // This if you want to see if the user is logged in (it does not redirect to dashboard if logged in)
	//checkLoginAndRedirectToDashboard(); Add this to pages that require a user to be logged in (only use on pages like index.php or auto redirects)
?>
<!DOCTYPE html>
<head>
<meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <title>UCP | Dashboard</title>
    <meta content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" name="viewport">
</head>

<body>
					
	<h1>Welcome to UCP v1.00, <?php echo getUsername(); ?>!</h1>
	<br />
	<br><br>
	getUser() is just the database results in a row so use getUser()['thecolumn'] to get the result required <br>
	<a href="logout.php">Logout</a> 
	<br><br>
	
	Main Stats
	<br>
	<pre>Current Money: $<?php getUser()['yourMoneyVariable']; ?> </pre>
</body>
</html>

Step 7.

Last page, we're naming this (logout.php) resets your login session; and will require you to login once again.

Код:

<?php 
	require("dep/settings.php");
	require("dep/session.php");
	require("dep/common.php");

	unset($_SESSION['user']);
	checkLoginAndRedirectToDashboard();
?>

If there's any bugs (known) let me know, I'll try to fix - if not ill get Callum to. But don't message me asking what your own saving variables are.

Cheers!

[Ritzy2K]

Thanks a lot! Imma read it..and give a quickie feedback
+rep

[MD5]

Quote:

Originally Posted by [ND]xXZeusXx. Thanks a lot! Imma read it..and give a quickie feedback +rep

Thanks for your testimony.

[Vince]

There are most definitely better ways to do this. In any case the database credentials should definitely not be global, nor should they be repeated in every file. Database error messages should not be sent directly to the output (unless for debugging) as these can contain sensitive information that an attacker may exploit.

I would recommend using a framework. We use CodeIgniter in class and I quite like the way it works. Configure the database settings and autoload the database driver. Very, very simple.

PHP код:

$this->db->where('username', $username);
$query = $this->db->get('player');
$player = $query->row();

echo $player->username;
echo $player->money; 


Takes a bit of getting used to, but you'll come to love it. There's plenty of documentation available.

[N0FeaR]

Good job!

[MD5]

Quote:

Originally Posted by Vince There are most definitely better ways to do this. In any case the database credentials should definitely not be global, nor should they be repeated in every file. Database error messages should not be sent directly to the output (unless for debugging) as these can contain sensitive information that an attacker may exploit. I would recommend using a framework. We use CodeIgniter in class and I quite like the way it works. Configure the database settings and autoload the database driver. Very, very simple. PHP код: $this->db->where('username', $username); $query = $this->db->get('player'); $player = $query->row(); echo $player->username; echo $player->money;  Takes a bit of getting used to, but you'll come to love it. There's plenty of documentation available.

Honestly global credentials wouldn't matter, because they're automatically escaped via PDO. Also for the CodeIginiter, I'll definitely look in to that.

[MD5]

Updated some of it, made it more secured.