How to register and login from a .txt file?

I wan't to write all usersnames and passwords to a .txt file.

Use:
http://php.net/manual/en/function.fread.php
http://php.net/manual/en/function.fwrite.php

However you will find your life SOOOO much easier is you use a database rather than a file.

Tizag have some good tutorials..http://www.tizag.com/

My code looks like this:

PHP Code:

<?php
echo "<form method=\"POST\" action=\"$PHP_SELF\">\n";

echo "Username: <input type=\"text\" name=\"username\"><br>";
echo "Password: <input type=\"password\" name=\"password\"><br>";
echo "<input type=\"submit\" value=\"Logga in\" name=\"login\"><br>";

$user = $_POST['username'];
$pass = $_POST['password'];

$userFile = file('users.txt');
$correctUser = $userFile[0];//read the first line from the file

if (isset($_POST['login']))
{
    if ($user == $correctUser)
    {
        echo "<br>You logged in.<br>";
    }
    else
    {
        echo "<br>wrong username or password.<br>";
    }
}
?>

I don't know why $user can't be the same as $correctUser
Sorry for my english...

Bear in mind that when you ask users to register you're asking them to trust you with their private information (passwords). If you don't know what you're doing and don't take the proper steps to secure that information you are violating that trust.

Using a flat file to store user info is a terrible idea, mostly for performance reasons (it won't scale at all), but also because if you store the file in such a way that it is accessible via URL then anyone can come along and download your user database. This is even more of a problem if you're storing raw passwords (which you should never do).

My advice is to do some research on how to create a proper user management system using an actual database and not a text file.

Regarding the code you posted. There may be several reasons why $user and $correctUser are not the same. It may have to do with how you're storing this information in the file, it may be because you are only checking the first line of the file, or it may be because you're not using the FILE_IGNORE_NEW_LINES flag. It could also be all of the above.

Also, shouldn't you be checking the password as well as the username?

I would also suggest using a MySQL database. It's actually really easy and can be done in an hour. Here's a really good tutorial complete with screenshots and code: http://net.tutsplus.com/tutorials/ph...ship-with-php/

Quote:

Originally Posted by eyu

I would also suggest using a MySQL database. It's actually really easy and can be done in an hour. Here's a really good tutorial complete with screenshots and code: http://net.tutsplus.com/tutorials/ph...ship-with-php/

On first glance there are a couple of problems with that tutorial:

1. It is using md5 to hash passwords. You should be using something like sha2. See http://us2.php.net/manual/en/function.crypt.php

2. Passwords are not salted.

nevermind, i'm using database now ^^

Quote:

Originally Posted by NullPointer

On first glance there are a couple of problems with that tutorial:

1. It is using md5 to hash passwords. You should be using something like sha2. See http://us2.php.net/manual/en/function.crypt.php

2. Passwords are not salted.

Ah, I did not know that, thanks. I suppose it makes your passwords more secure?

Quote:

Originally Posted by eyu

Ah, I did not know that, thanks. I suppose it makes your passwords more secure?

Using a salt prevents the use of rainbow tables to determine the input value that generated a particular hash. A rainbow table is just a table mapping hash values to the strings that produce them.
http://en.wikipedia.org/wiki/Rainbow_table
http://en.wikipedia.org/wiki/Salt_(cryptography)

If I hash a passwords like this:

PHP Code:

$password = 'nullpointer';
$hash = md5($password); 


$hash will be equal to 28fc730f2694ac90805b349f8d1bf28b. If someone attempting to find the string resulting in that hash were to use a rainbow table there is a good chance that that particular mapping would exist.

If I salt the password however:

PHP Code:

$password = 'nullpointer';
$salt = '8dF$d_3';
$hash = md5($salt . md5($password)); 


$hash will be equal to a09820febbd2f219e7d24d8a1b5d1e22 and a rainbow table would have to contain the string 8dF$d_328fc730f2694ac90805b349f8d1bf28b which is much less likely.

Another problem with md5 is that it is fast. A quick benchmark on my machine shows that I can generate 768,842 md5 hashes in a single second. That number would be even higher if I were running a threaded hash generator instead of just using the md5 function in PHP. Even at that rate I could brute force any 6 character password consisting of upper or lower case letters and digits in less than a day (62^6 / 768842).

Technically this isn't a problem with md5 so much as with how it is implemented using the md5 function in PHP. Normally the number of 'rounds' in an md5 hash is 64. You can increase that number arbitrarily however. The crypt function allows you to do this with SHA2 algos:

PHP Code:

$password = 'nullpointer';
$salt = '8dF$d_3';

$hash = crypt($password, '$6$rounds=5000$' . $salt . '$'); //5000 is actually the default 


On my machine, using the method above, I can generate 74 SHA-512 hashes in a second, which is smaller than the number of md5 hashes I can generate by several orders of magnitude.

http://us2.php.net/manual/en/function.crypt.php

Couldn't a person safely use md5 if they required the use of chars, int, and special characters in a pw?

Quote:

Originally Posted by madnhain

Couldn't a person safely use md5 if they required the use of chars, int, and special characters in a pw?

See http://en.wikipedia.org/wiki/Md5#Security

Note that you need a preimage attack (not a collision attack) to derive a raw password from a hash. Still, there is no good reason to use md5 (or sha1) for new systems. It isn't that much harder to use a more secure method.