Forget SHA1 and MD5
Before you start, make it clear. Do not use any of these encryption methods. You will understand why in the course of this answer.
Important information
I recommend you read this reply, then read that Article by Thiago Belem, then that PHP documentation article itself.
The above links will show why you should not use sha1 or MD5.
In the case of the second link I passed, not only read, but run what was taught and run again until you know what is being done. After that, I recommend that also the process using the instructions of the third link, the password_hash
I won’t reinvent the wheel here, because the first link already has everything you need to know and the rest are the encryption exercises.
I’ll give you an example of a solution for your case, simple and commented so you understand. In the example I will use the password_hash
, which is the safest method currently.
Example of use
In HTML
<form action="" method="post">
<label for="login">Login</label>
<input type="text" name="login" id="login">
<label for="senha">Senha</label>
<input type="password" name="password" id="password">
<button type="submit">Fazer login</button>
<input type="hidden" name="hidden" <?php echo "value='" . $_SESSION['formKey'] . "'" ?>>
</form>
In the action
do not need to put anything, since we will use the same page of the form to validate the data.
If you read the first link I gave you, you should know that the type input field hidden
serves to hinder ataques do tipo CSRF
(Cross-site Request Forgery), where the form will only be validated if the value of the hidden
is equal to the value of $_SESSION['formKey']
. Remembering that this $_SESSION
should be amended each time the page is updated, after the method has been validated $_POST
, of course. In PHP code you will understand.
I recommend you read that article on CSRF attacks.
The Abels issue is just one aspect of UX design
, where you allow the user to click the label, and focus on input.
In PHP
<?php
//Possibilita que trabalhemos com sessões, vai ser útil para validar o campo
//hidden, e também para manter o usuário logado no sistema.
//mas isso é outro ponto e não vou abordá-lo aqui.
session_start();
//Dados do banco
$hostname = 'localhost';
$username = 'root';
$password = '123456';
$database = 'meusite';
//Se conecta ao banco de dados
$mysql = mysqli_connect($hostname, $username, $password, $database);
mysqli_set_charset($mysql, 'utf8');
//Se o usuário clicar em submit, ele faz uma requisição POST e aciona
//essa condição
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
//Verifica se o valor do campo hidden bate com o valor da session.
if (isset($_POST['hidden']) && $_POST['hidden'] == $_SESSION['formKey']) {
//Verifica se existe um POST chamado login e senha respectivamente e,
//se existir, remove os espaços no começo e final da string usando a função
//trim() e atribui o valor deles as respectivas variáveis.
//Se não existir, define o valor da variável como null.
//Se não entendeu como funciona, pesquise sobre OPERADOR TERNÁRIO e função TRIM
$login = (isset($_POST['login'])) ? trim($_POST['login']) : null;
$password = (isset($_POST['password'])) ? trim($_POST['password']) : null;
if (empty($login)) {
//Se a variável $login estiver vazia, faça:
echo 'Por favor, preencha o campo de login';
exit;
}
if (empty($password)) {
//Se a variável $password estiver vazia, faça:
echo 'Por favor, preencha o campo de senha';
exit;
}
//Antes de comparar qualquer dado com o banco, fazemos escape para dificultar
//SQL injections.
$login = mysqli_real_escape_string($mysql, $login);
$password = mysqli_real_escape_string($mysql, $password);
//Seleciona os campos login e password na tabela usuarios, cujo login seja
//igual ao login informado no formulário.
//Lembre-se de marcar a coluna login no banco de dados como UNIQUE ID
//para que não seja possível existir mais de um login igual.
$result = mysqli_query($mysql,
"SELECT `login`, `password` FROM `usuarios` WHERE `login` = '" . $login . "'");
if(!mysqli_num_rows($result)) {
echo "Usuário não encontrado";
exit;
} else {
//Coloca os dados retornados pelo banco em um array chamado $data
while ($r = mysqli_fetch_assoc($result)) {
$data[] = $r;
}
}
//Chegando neste ponto, entede-se que o login informado existe, agora temos que
//validar a senha.
//Vamos supor que você usou password_hash para criptografar a senha no
//momento do cadastro do usuário.
if (password_verify($password, $data[0]['password'])) {
echo "Logado com sucesso!";
} else {
echo "Senha incorreta!";
exit;
}
//Fazendo isso, estamos dizendo pro PHP verificar se a senha informada
//corresponde ao hash (senha criptografada) que estava no banco.
}
}
//Toda vez que ele atualizar a página, o value do campo hidden será alterado
//Abaixo fizemos o sha1 de um número randomico usando a função rand().
$_SESSION['formKey'] = sha1(rand());
//Eu usei sha1, porque? Simples. O valor do campo hidden não tem importancia
//pra gente. Ele não precisa ser seguro, até porque ele será visível caso
//o usuário clique em visualiar o código fonte, ele só precisa mudar e ser
//impossível de se acertar num "chute".
?>
The cake recipe is there, just use it.
Besides html it is interesting to post some code some attempt as you did and Talz for the staff to give the tips beyond that
– Otto
Who voted as too broad could comment on the reason for this.
– Tiago P.C
Tiago, Unfortunately this question is too broad for a direct answer and not based on opinions, it would be interesting if you had a specific question in this issue of logging in with php. If you don’t know where to start google can help you with this, look at an example: http://www.linhadecodigo.com.br/artigo/3561/criando-um-system-de-register-e-login-com-php-e-mysql.aspx
– Gabriel Rodrigues
I didn’t vote, but she’s too broad anyway!
– Gabriel Rodrigues
I don’t think it’s too wide because I didn’t ask for any concrete answers, I didn’t ask them to do any code for me, I just asked for tips on where to start studying. @Gabrielrodrigues
– Tiago P.C
I did not vote but there are many ways to do, characterizing too broad. If you put some code like I’m going this way it would be easier because it would already have a way. now the way you put it was like do it for me in the best way possible.
– Otto
There are answers to my questions in this context of login, see these questions they are login but they are very different answers: http://answall.com/questions/70758/acesso-somente-via-login-e-senha-inhibitor-directaccession-via-url/70765#70765 http://en.stackoverflow.com/questions/95352/login-with-cookie-or-Session-no-php5/95358#95358
– Gabriel Rodrigues
No, @Otto I don’t want you to do it for me, on the contrary, I’m sorry if it seemed that way, but I want the exact opposite, I just want you to steer me down some path where I can do and learn as best I can.
– Tiago P.C
Possible duplicate of What is the best way to make a password login system with PHP
– brasofilo
I think the question is good, especially in light of some answers, but this has been asked before. If you think
Sei que já existem aqui, perguntas sobre este assunto, mas temo que elas estejam desatualizadas
needs to explain and demonstrate why.– brasofilo
The only problem with these answers is that they always take those who are learning PHP to the procedural paradigm side. Most do not know how to work organized with it and create great works of art with their codes, so the bad reputation of language.
– Lucas Silva