Creating a simple Password login without the password hardcoded [PHP,Javascript,MySQL]

Question

I'm trying to create a simple login promt on my local website. I already tried with Javascript, but I don't want the password to be hardcoded. The Users get the password by mail so there is no registration form needed. I searched on the Internet and I think it should work with PHP and Javascript. This is what i've come up with:

<SCRIPT>
function passWord() {
var testV = 1;
var pass1 = prompt('Enter password',' ');
while (testV < 3) {
if (!pass1)
window.open('Website.html',"_self");
if (pass1.toLowerCase() == "password") {
alert('Correct!');
window.open('./test/sitetwo.html',"_self");
break;
} 
testV+=1;
var pass1 = 
prompt('Wrong Password','Try again');
}
if (pass1.toLowerCase()!="password" & testV ==3) 
return " ";
} 
</SCRIPT>
<CENTER>
<FORM>
<input type="button" value="Enter Protected Area" onClick="passWord()">
</FORM>
</CENTER>

Does anyone of you know how to code this? Thank you for your help.

*but I don't want the password to be hardcoded.*, hmm, using database..? or something else to persist the password? — Bagus Tesa, Oct 27 '17 at 06:51
Don't use JavaScript for password validation, use PHP as it is server-side -> not viewable from the browser/client. — Filnor, Oct 27 '17 at 06:53
Yeah, I'd like to use MySQL for a Database but I don't know how. — Noël Kra, Oct 27 '17 at 06:55
If you have to ask so overly broad, then that’s likely due to lack of knowledge of the most basic techniques and best practices involved here ... which means you should not attempt to implement this on your own in the first place. Go with an established solution that you can integrate into your system. Otherwise you’ll likely just be stepping from one newbie mistake into the next. — CBroe, Oct 27 '17 at 07:21

score 1 · Answer 1 · answered Oct 27 '17 at 07:07

Login prompt is just one of possible approaches to hide information on your website. You have to decide first what are you trying to hide. For instance, if you if are providing some paid information to your clients - you can send the information itself by mail (instead of password). If you want to hide some part of site from other people - you can just give it weird url, like site.com/jkhgdsdkgf

Creating login backend with php and database obviously requires your php, mysql (or other database) and server administration skills and completely depends on details of your task, so it's hard to provide a useful advice here.

Orange Orange · Accepted Answer · 2017-10-27T07:31:13.713

In my opinion, you should use a database to store all your credentials (like username, password, etc..)

If you don't know how to do it, you should know that if you want to run your php code, you need a php server and somewhere to put your db.

Here is how to set up a php server with Apache

https://www.ultraedit.com/support/tutorials-power-tips/uestudio/local-php-mysql-dev-environment.html

Here is how to set up a db with PhpMyAdmin https://www.siteground.com/tutorials/phpmyadmin/create-populate-tables/

You need a login.php (where you log in), a test.php page (then you put in it whatever you want) and a check_User.php page (where to control if the credentials are correct).

Login.php

<html>
<head> <title>Login</title> </head>
<body>
<form action="check_User.php" method="post" id="login_form">
<label><b>Username</b></label>

                <!-- USERNAME -->               
                <input type="text" placeholder="Enter Username" name="username" required>

                <!-- PASSWORD -->                   
                <label><b>Password</b></label>
                <input type="password" placeholder="Enter Password" name="password" required>

                <!-- LOGIN -->  
                <button type="submit">Login</button>
</form>
<body>
</html>

check_User.php

<?php
   session_start();
   $_POST["username"] = htmlspecialchars($_POST["username"]);
   $_POST["password"] = htmlspecialchars($_POST["password"]);
   $link = mysqli_connect("your_host", "your_db_username", "your_db_password", "your_db_name");

   $query = "SELECT username, password 
            FROM your_db_name
            WHERE username = \"".$_POST["username"]."\" AND password = \"".$_POST["password"]."\"
           ";
   mysqli_query($link, $query);

   $rows = array();
   $result = mysqli_query($link, $query);
   while($row = mysqli_fetch_array($result,MYSQLI_ASSOC)) 
        $rows[] = $row;

   /*   correct match  */
   if(mysqli_affected_rows($link) == 1)
   {
      $_SESSION["username"] = $_POST["username"];
      $_SESSION["password"] = $_POST["password"];
   }
   if(isset($_SESSION["username"]) && isset( $_SESSION["password"]))
        header("Location:test.php");
   else {
   alert("Wrong username or password");
   }
   ?>

test.php

   <?php
   session_start();

    // not logged in, not showing this page
    if((!isset($_SESSION["username"]) || !isset( $_SESSION["password"]))
        header("Location:login.php");
   ?>

   <html>
   ....whatever you want this page to do
   </html>

Not even anything done against SQL injection, \*sigh\* ... this is exactly the kind of low-quality and dangerous answer questions like this do _not_ need. — CBroe, Oct 27 '17 at 07:22
$query = "SELECT username, password FROM your_db_name WHERE username = \"".$_POST["username"]."\"; - wrong!! you should never insert request data into sql. This creates a vulnerability for sql injection. — Oleg Loginov, Oct 27 '17 at 07:25
i know but he said he doesn't want to be hardcoded. I usually crypt my $_POST[] data before checking its value with sql, so it's impossible to do a sql injection if the parameter you pass to the query is crypted. To keep this solution but avoid sql injection i edited the answer adding htmlspecialchars — Orange Orange, Oct 27 '17 at 07:29
Thank you very much! One question, I don't quite understand this line: $link = mysqli_connect("your_host", "your_db_username", "your_db_password", "your_db_name"); . What is meant with "your_host", and the three "your_db_*", are these different databases I have to create? Or tables in a database? — Noël Kra, Oct 27 '17 at 07:37
@OlegLoginov This site is more a "just for fun" project on my Intranet (NOT accesible over the internet), and it doesn't hold any critical data. Also, how would one have to do it to not be vulnerable to SQL Injections? — Noël Kra, Oct 27 '17 at 07:40
your_host should be the IP where your database is stored. If this is not a commercial or important project, but you do it just for fun, I really recommend you to download XAMPP, it automatically installs you the php server and it creates the PhpMyAdmin db. check https://www.apachefriends.org/index.html If you don't want to be vulnerable to sql injections then you really take some time and study a lot on the internet whether there are a lot of different techniques to hack your code. — Orange Orange, Oct 27 '17 at 07:43
then if you install xampp, your connection line should be something like this $link = mysqli_connect("localhost", "root", "", "db_name"); — Orange Orange, Oct 27 '17 at 07:45
@NoëlKra A worm can get into your intranet someday... And vulnerabilities like this can easily turn your server into an evil botnet member or worse. Regarding the question - have a look at this answer: https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php — Oleg Loginov, Oct 27 '17 at 08:00

Creating a simple Password login without the password hardcoded [PHP,Javascript,MySQL]

2 Answers2