Website Login Script for your players

Angellinho · 12/22/2011, 15:20

Hello! I want to release a sample Login Script for players.
Let`s start making the Configurations. Open a Text editor and create a file configuration.php

PHP Code:



<?php 
    // MySQL connect information. 
    $c_username = "root"; 
    $c_password = "mysql password"; 
    $c_host = "localhost"; //leave this 
    $c_database = "yourdatabase"; 
 
    // Connect. 
    $connection = mysql_connect($c_host, $c_username, $c_password) 
    or die ("It seems this site's database isn't responding."); 
 
    mysql_select_db($c_database) 
    or die ("It seems this site's database isn't responding."); 
 
?>

Save it into your web directory.

Now let`s make the Login.php

Add this code above your <head> tag element.

PHP Code:



<?php 
session_start(); 
// Check if he wants to login: 
if (!empty($_POST[username])) 
{ 
    require_once("configuration.php"); 
 
    // Check if he has the right info. 
    $query = mysql_query("SELECT * FROM accounts 
                            WHERE Username = '$_POST[username]' 
                            AND Password = '$_POST[password]'") 
    or die ("Error, something wrong."); 
     
    $row = mysql_fetch_array($query) 
    or die ("Error, somethign wrong."); 
     
    if (!empty($row[Username])) // he got it. 
    { 
        $_SESSION[username] = $row[Username]; 
        echo "Welcome $_POST[username]! You've been successfully logged in click <a href=login.php>Here</a>."; 
        exit(); 
    } 
    else // bad info. 
    { 
        echo "Error - Couldn't login user.<br /><br /> 
            Please try again."; 
        exit(); 
    } 
} 
 
?>

Below, add this:

PHP Code:



<?php 
session_start(); 
require_once("configuration.php"); 
 
$query = "select Name FROM entities WHERE Owner='$_SESSION[username]'"; 
$result = mysql_query($query); 
 
while($row = mysql_fetch_assoc($result)) 
{ 
$c=$row['Name']; 
} 
 
$query2 = "select ConquerPoints FROM entities WHERE Owner='$_SESSION[username]'"; 
$result2 = mysql_query($query2); 
 
while($row2 = mysql_fetch_assoc($result2)) 
{ 
$cp=$row2['ConquerPoints']; 
} 
 
 
// Check his status. 
if (!empty($_SESSION[username])) // he got it. 
{ 
    echo "You are currently logged in, <b>$_SESSION[username]</b>. <a href=logout.php>Logout</a>"; 
        echo "Users Login script by Angell<a href='http://*************/forum/'>(4Botters)</a><br>"; 
        echo "<br>"; 
        echo "Char name: <font color=red>$c</font>"; 
        echo "ConquerPoints: <font color=red>$cp</font>"; 
} 
 
else // bad info. 
{ 
    echo "You are currently <b>NOT</b> logged in."; 
 
 
echo'                                            <p>Please Login First</p> 
                                            <p> 
                                            <form action=Login.php method=post> 
                                            <table width=300 border=0 align=center cellpadding=0 cellspacing=1> 
                                           <tr> 
                                            <td><p><h3>Username:</h3></p></td> 
                                            <td><p><input type=text name=username STYLE="color: #FFFFFF; font-family: Verdana; font-weight: bold; font-size: 12px; background-color: #72A4D2;"></p></td> 
                                            </tr> 
                                            <tr> 
                                            <td><p><h3>Password:</h3></p></td> 
                                            <td><p><input type=password name=password STYLE="color: #FFFFFF; font-family: Verdana; font-weight: bold; font-size: 12px; background-color: #72A4D2;"></p></td> 
                                            </tr> 
                                            <tr> 
                                            <td><input type="submit" value="Login"></td> 
                                            </tr> 
                                            </table> 
                                            </form></p>'; 
} 
 
?>

You may have to modify the query to show your Char name, Coins(in this case CPs, first time was designed for conquer) or anything you want.
Example:

PHP Code:



$query = "select VIP FROM account WHERE name='$_SESSION[username]'"; 
$result = mysql_query($query); 
 
while($row = mysql_fetch_assoc($result)) 
{ 
$vip=$row['VIP']; 
}

And then to make it show, add below

Code:

// Check his status.
if (!empty($_SESSION[username])) // he got it.
{

this code:

PHP Code:



echo "VIP: <font color=red>$vip</font>";

That`s everything. Close your <body>, there should be no <html> element.
Thanks for reading this.

NotEnoughForYou · 12/22/2011, 16:36

Why do you use a loop , when there is just 1 user with this name ? Also you can select both statements in one query

JacK le chilla · 12/22/2011, 18:04

Uh very nice for exploiting <3

bsp: Username: 'or1=1' Password: 'or1=1'

D

in this script you can use very much exploits, pls check your variables on valid characters with preg_match for example

Angellinho · 12/22/2011, 22:37

I just wanted to release a sample login script I made, whatever.

NotEnoughForYou · 12/22/2011, 22:42

if you use this script everybody can delete your database

Angellinho · 02/21/2012, 10:49

I`m not that sure as you are, Isn`t that vulnerable to SQLi.

and that thing with 'or1=1' isn`t working on it.

galaxyo · 02/21/2012, 20:21

Its not safe. Just google "SQL-Injection".

JacK le chilla · 02/22/2012, 20:19

Quote:

and that thing with 'or1=1' isn`t working on it.

it works, but if you want to fix it simple, use mysql_real_escape_string() to safe your SQL querys.

MfG JacK