[Chips G]

Hey everybody. I have an idea for a project I would like to work on, but know virtually nothing about web-programming. I am trying to do baby steps, so my first task is to create a website that people can go to and either a. create an account, or b. sign in

If they go to the create an account page, they can enter their name, password, etc., save it to a database on my computer, and then login using this information.

What is the best way to do this? I know a LITTLE about SQL (in that it is a language/format to store data), but I have no idea how to make a website interact with an SQL database.

Thanks everyone!

-Chris

[Brass]

Originally Posted by Chris Gilpin 

Hey everybody. I have an idea for a project I would like to work on, but know virtually nothing about web-programming. I am trying to do baby steps, so my first task is to create a website that people can go to and either a. create an account, or b. sign in

If they go to the create an account page, they can enter their name, password, etc., save it to a database on my computer, and then login using this information.

What is the best way to do this? I know a LITTLE about SQL (in that it is a language/format to store data), but I have no idea how to make a website interact with an SQL database.

Thanks everyone!

-Chris

PHP and MySQL are probably the most popular choice for doing this (MySQL for the database backend, and PHP for the web front end).

The official PHP manual is here: PHP: PHP Manual - Manual

and it includes a comprehensive section on working with MySQL databases.

One of the easiest ways to manage your MySQL databases is to use the "phpMyAdmin" system, which is already available on most hosting plans that include MySQL hosting (or if you're installing MySQL and PHP yourself, you can also install phpMyAdmin).

These tools are free, and have an excellent reputation. They do take some getting used to though (I'm still a bit of novice in this area myself, having only written one fairly simple PHP/MySQL system).

If you want something easy, but expensive, FileMaker Pro makes this sort of thing exceptionally simple to implement.

[besson3c]

First of all, if you are simply trying to password protect a page and provide access to particular usernames and passwords, there is a much easier way to do this that doesn't require PHP or MySQL. Let us know if this is the case.

Start with the basic pieces and build this up. Find a tutorial on creating HTML web forms. Here is an example form:

Code:
<form action = "submit.php" method = "post">
Name: <input type = "text" name = "name">
Age: <input type = "text" name = "age">
<input type = "submit" value = "submit">
</form>

Then, create your submit.php file to receive this form input:

Code:
<?php
$name = $_POST['name'];
$age = $_POST['age'];

$link = mysql_connect('localhost','dbuser','dbpass');
$query = "insert into mydb.mytable (`name`,`age`) values ('$name','$age')";
$result = mysql_query($query);

header ("Location: thankyou.php");
?>

Create your database table with the fields you need (in this example, this would include "name" and "age"), and try this out.

[Chuckit]

Also bear in mind that besson's example, while excellent for learning, would be a big no-no for actual production code.

[besson3c]

Chuckit: aside from leaving out the usage of the htmlspecialchars function, what did you have in mind when you wrote what you wrote?

[Chuckit]

SQL injection. Take this hypothetical value for the $name variable as an example:

Code:
Bob', (SELECT `password` FROM `admin_users` LIMIT 1)); --

Even if you think it's OK because you're already modifying the table, it's best to treat all data coming from the outside world as tainted. In this case, a name can validly have an apostrophe in it (which I don't think htmlspecialchars() handles by default), so your user could be doing an accidental and invalid SQL injection without even meaning to! A simple mysql_real_escape_string() should work in this case.

[besson3c]

Originally Posted by Chuckit 

SQL injection. Take this hypothetical value for the $name variable as an example:

Code:
Bob', (SELECT `password` FROM `admin_users` LIMIT 1)); --

Even if you think it's OK because you're already modifying the table, it's best to treat all data coming from the outside world as tainted. In this case, a name can validly have an apostrophe in it (which I don't think htmlspecialchars() handles by default), so your user could be doing an accidental and invalid SQL injection without even meaning to! A simple mysql_real_escape_string() should work in this case.

Well, htmlspecialchars can convert single quotes to ' and double quotes to " if ENT_QUOTES is set.

Also, any sort of query coming from the outside world needs to satisfy MySQL's privilege configuration. So, if connections are being made to localhost which has the permissions to execute the queries being executed and an attack is not coming from localhost, it is not possible, AFAIK, right? If only localhost was allowed to access your DB and tables, only PHP scripts originating from localhost could perform these injections (they would also need your MySQL user/pass), right?

If you are talking about form spoofing (which is probably the more common way these attacks are done, AFAIK), is this possible if quotation marks are escaped either via mysql_real_escape_string or htmlspecialchars? It looks like mysql_real_escape_string is probably the better way to handle this though, since it will also handle \x00, \n, \r, \, and \x1a.

Not permitting destructive SQL queries to unauthenticated users is also a good practice.

[Chuckit]

Originally Posted by besson3c 

Also, any sort of query coming from the outside world needs to satisfy MySQL's privilege configuration. So, if connections are being made to localhost which has the permissions to execute the queries being executed and an attack is not coming from localhost, it is not possible, AFAIK, right? If only localhost was allowed to access your DB and tables, only PHP scripts originating from localhost could perform these injections (they would also need your MySQL user/pass), right?

Well, yes, but that's why I specifically mentioned injection attacks. The PHP script is expected and allowed to query the SQL server, but an injection attack changes the query that the PHP script will make.

Originally Posted by besson3c 

If you are talking about form spoofing (which is probably the more common way these attacks are done, AFAIK), is this possible if quotation marks are escaped either via mysql_real_escape_string or htmlspecialchars?

I think either would work in this case, though I wouldn't rely on htmlspecialchars() as a security check. It's not tested for that purpose, and if ENT_QUOTES gets left off, it won't even try to replace the quotes.

Anyway, I just wanted a disclaimer for the "noob." When you're learning, I find it's hard to know when you actually know enough (I've heard of many developers who didn't even know that you needed to protect against injection — they just never learned about it).

[besson3c]

Originally Posted by Chuckit 

Well, yes, but that's why I specifically mentioned injection attacks. The PHP script is expected and allowed to query the SQL server, but an injection attack changes the query that the PHP script will make.


I think either would work in this case, though I wouldn't rely on htmlspecialchars() as a security check. It's not tested for that purpose, and if ENT_QUOTES gets left off, it won't even try to replace the quotes.

Anyway, I just wanted a disclaimer for the "noob." When you're learning, I find it's hard to know when you actually know enough (I've heard of many developers who didn't even know that you needed to protect against injection — they just never learned about it).

Well, you can count me in that category. I haven't spent much mental energy on it because all my users that manipulate databases have to be authenticated. While it is possible that somebody could obtain a password and find a way to do SQL injections, it hasn't been high on my list of considerations and concerns, but it probably should be...

Thanks for teaching me something!