Using PHP in pages with the html extension. Form in your layout How to read html page php
I'm trying to create a login form. This is my HTML form code
Personally, I got it for PDO.
Points 4 and 5
$password = mysql_real_escape_string(stripslashes(md5($_POST["password"])));
First, the order of this is wrong. You hash $_POST["password"] and then trying to use stripslashes - after its hashes will not have any slashes. However, if you're trying to prevent people from using slashes (or anything else) in passwords, you'll need to remove them before hashing the string.
The following md5 should not be used as a password hashing algorithm, which has been found to be weak and can be brute force to create string collisions much more often than necessary.
Yes you must store hashes or "fingerprints" of passwords, not the passwords themselves, but ideally you want to salt and hash (with at least sha1) those passwords, rather than just throwing them into the md5() function.
And search for "password hash setting" using your search engine of choice.
Point 6
SELECT id FROM $table WHERE username = "" . $username. "" and password = "" . $password. "";
I added in = which was missing from the original question, but that's it did not match the username and password in your request...if someone managed to get an SQL injection into your username, the password will never be verified. Introduce:
SELECT user.id FROM user WHERE user.username = "fred" OR 1 = 1 -- AND user.password = "abc123"
It is better to select the fingerprint user ID and password from the database and then evaluate the password in the application rather than trusting the database level password verification. This also means that you can use a special hashing and salting algorithm within the app itself to verify your passwords.
Point 7
$_SESSION["user"] = $_POST["username"];
Is it just storing the username in the session? This should not be used as a "login verifier" in any way, especially if there is (apparently) nothing on your session to prevent hijacking.
The session ID can be easily sniffed from the cookie in real time, and that's all that would be required to "borrow" someone else's username. You should at least try to reduce the likelihood of session hijacking by associating the user's IP address, UserAgent string, or some other combination of relatively static data that can be compared to each page... there are disadvantages to almost any approach though (especially, as I've already found, if you have visitors using AOL), but you can make a possible 99% effective fingerprint session possible to reduce hijacking with a very small chance that the user's session will be mistakenly reset.
Ideally you could also create a session token to mitigate CSRF attacks when the user needs to perform a "privileged" action on the database (update their data or something else). The token can be a completely random and unique code stored in a database and/or cookie SSL when the user logs in (provided that the user cannot perform any actions that update the database outside of HTTPS, as this will simply transmit the data in clear text over the Internet - which would be bad idea).
The token is placed in a hidden form field for any/all forms and is checked against the value stored in the cookie (or session or database) when that form is submitted. This ensures that the person submitting the form will have a live session on your website at the very least.
There could be several problems.
Firstly, in your $match statement you are missing the password equality operator:
$match = "SELECT id FROM $table WHERE username = "".$username."" and password"".$password."";";
Should be:
$match = "SELECT id FROM $table WHERE username = "".$username."" and password = "".$password."";";
Secondly, you insert the password into the database after its use using md5?
If not, then your request is trying to match the md5 (password) with the password.
When creating even a personal website, not everyone can provide for everything possible ways its further use. It is very important to prepare the ground for further development of the site. If you've created a website in the past and assigned the .html extension to all pages by default, and only then decided to use PHP, then read on.
Previously, to use SSI, site page names had to end with the .shtml extension, but today most Internet servers are configured so that SSI can be used on pages with the .html extension, which is quite convenient. PHP is a completely different story - the .php extension is the default extension. Website developers knowing in advance what will be used given language programming, the rhinestone is assigned the correct extension.
But what to do when all pages end with the .html extension?
Replace HTML extension with PHP
This can be done in several ways. The most obvious way is to give all pages a .php extension or change existing extensions (.html, .shtml, etc.). This method has disadvantages. For example, already indexed pages with the .html extension will have to be indexed again search engines. Or even worse - everything external links, which explicitly link to a particular page will be invalid. And you will have to notify the owners of each site about these changes and create another page with 301 errors for each page. Of course, changing one extension to another is acceptable, but what if the site already has many pages and many links to different pages from other sites?
For a conscious reason this moment all pages of this site end with the html extension, and I did not want to make the above changes, thereby creating unnecessary difficulties for myself.
You can do it another way. If the server hosting the site supports mod_rewrite (in most cases it does), and there is access to the .htaccess file, then you can add the following lines to this very file:
RewriteEngine on RewriteRule ^(.*)\.html $1\.php
By adding this code to .htaccess , you don't have to worry. All requested non-existent pages with a .html extension will be automatically replaced with a .php extension thanks to the wonders of Apache. But this method is not the only one. You can write the following in the same .htaccess file:
AddHandler application/x-httpd-php .php .html .htm
In my opinion the most successful way. This makes HTML pages equal to PHP pages, meaning all PHP functions can now be used in pages with an HTML extension. If you don’t have access to the .htaccess file, then you can write a letter to the hosting company and politely ask the admins to register in Apache configurations(httpd.conf) the required value for the site.
By the way, if before this the site used SSI as follows:
then in the new PHP state this code needs to be replaced with:
include("file.txt"); ?>
Well, that’s all, I think one of the above methods will help.
PHP is an embedded server-side programming language. Much of its syntax is borrowed from C, Java, and Perl. And also added a couple of unique characteristics only for PHP functions. The main purpose of this language is to create dynamically generated PHP HTML pages.
PHP to HTML
When creating complex web pages, you will be faced with the need to combine PHP and HTML to accomplish specific tasks. At first glance, this may seem complicated, since PHP and HTML are two independent disciplines, but this is not so. PHP is designed to interact with HTML, and its code can be included in page markup.
PHP code is included in HTML pages using special tags. When a user opens a page, the server processes the PHP code and then sends the result of the processing (not the PHP code) to the browser.
HTML and PHP are quite easy to combine. Any part of a PHP script outside of tagsis ignored by the PHP compiler and passed directly to the browser. If you look at the example below, you can see that a complete PHP script might look like this:
Hello today.