Simple Login Example (PHP Server + Android Client)

 


Simple Login Example


I have created this simple Login Example
and intentionally leave it as the kind of login that is subject to hacking using SQL injection technique.
I will discuss on SQL injection later.


XAMP server side (PHP)

Database

create table users(
   userid varchar(20) primary key,
   password varchar(80) not null
);


insert the data userid as 'test' and password as '1234' for testing
INSERT INTO `users`(`userid`, `password`) VALUES ('test','1234')


PHP
Step 0: Create  db_connect.php
( Refer to Lab2)


Step1 :Create a loginTest.php





<<< Server Side>>> 
loginTest.php         
<?php
  
 
 
// check for post data
if (isset($_POST["id"])) {
    $id = $_POST['id'];
    $pw = $_POST['pw'];
 

// include db connect class
    require_once __DIR__ . '/db_connect.php';
 // connecting to db
    $db= new DB_CONNECT();
    $db->connect();


    // get a product from products table
    $sqlCommand="SELECT * FROM users WHERE userid = '".$id."' and password ='".$pw."'";
    $result =mysqli_query($db->myconn, "$sqlCommand");

    //echo $sqlCommand;

 
 
        if (mysqli_num_rows($result) > 0) {
 
  
             echo ("Success");
        } else {
        
            echo ("failed");
        }
   
     } 
     
 else

{
 
?>





<html>
<body>

<h2>Login Test</h2>

<form action=  "loginTest.php"  method="post">
  User ID:<br>
  <input type="text" name="id"  required>

  <br>Password:<br>
  <input type="password" name="pw"  required>
    
  
  <br>
<br>
  <input type="submit" value="Submit">
</form> 

<br>
 
 

</body>
</html>

<?php
}

?>


Step 2 :Run your Xamp server and test it 

You may test it with my server at
or test it on your own xamp server 

username : test
password 1234

Try it with wrong password or wrong username 

<<< Client Side>>> 
Android client side (Java)


Step1 :Create a new Activity  called Login









Step2: Open the app's Module build.gradle file. Choose the correct build.gradle file as shown below:
dependencies {


    implementation 'com.android.volley:volley:1.2.1'
  
   ...........................
}

AndroidManifest.XML

Go to AndroidManifest.xml . Change Login to be the first activity (first page)

 <activity
            android:name=".MainActivity"
            android:exported="false" />
        <activity
            android:name=".Login"
            android:exported="true">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />

                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>


Step3:  Remember to set Permissions for AndroidManifest.xml
    <uses-permission android:name="android.permission.INTERNET" />



android:usesCleartextTraffic="true"

 
Step4: Edit the layout activity_login.xml
 <?xml version="1.0" encoding="utf-8"?>
<androidx.constraintlayout.widget.ConstraintLayout xmlns:android="http://schemas.android.com/apk/res/android"
    xmlns:app="http://schemas.android.com/apk/res-auto"
    xmlns:tools="http://schemas.android.com/tools"
    android:id="@+id/main"
    android:layout_width="match_parent"
    android:layout_height="match_parent"
    tools:context=".Login">

    <EditText
        android:id="@+id/etUserName"
        android:layout_width="wrap_content"
        android:layout_height="wrap_content"
        android:layout_marginStart="56dp"
        android:layout_marginTop="109dp"
        android:ems="10"
        android:hint="User name"
        android:inputType="text"
        app:layout_constraintStart_toStartOf="parent"
        app:layout_constraintTop_toTopOf="parent" />

    <EditText
        android:id="@+id/etPassword"
        android:layout_width="wrap_content"
        android:layout_height="wrap_content"
        android:layout_marginTop="14dp"
        android:ems="10"
        android:hint="Password"
        android:inputType="text"
        app:layout_constraintStart_toStartOf="@+id/etUserName"
        app:layout_constraintTop_toBottomOf="@+id/etUserName" />

    <Button
        android:id="@+id/btnLogin"
        android:layout_width="wrap_content"
        android:layout_height="wrap_content"
        android:layout_marginTop="29dp"
        android:text="Login"
        app:layout_constraintEnd_toEndOf="@+id/etPassword"
        app:layout_constraintStart_toStartOf="@+id/etPassword"
        app:layout_constraintTop_toBottomOf="@+id/etPassword" />

</androidx.constraintlayout.widget.ConstraintLayout>



Android Client Side

package mdad.localdata.volleysqldatabase1;

import android.content.Intent;
import android.os.Bundle;
import android.util.Log;
import android.view.View;
import android.widget.Button;
import android.widget.EditText;

import android.widget.Toast;
import androidx.annotation.Nullable;
import androidx.appcompat.app.AppCompatActivity;


import com.android.volley.Request;
import com.android.volley.RequestQueue;
import com.android.volley.Response;
import com.android.volley.VolleyError;
import com.android.volley.toolbox.StringRequest;
import com.android.volley.toolbox.Volley;

import java.util.HashMap;
import java.util.Map;



public class Login extends AppCompatActivity {
    private static String url_login =MainActivity.ipBaseAddress+"/loginTest.php";
    EditText etUsername;
    EditText etPassword;

    Button btnLogin;



    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_login);


        etUsername = (EditText) findViewById(R.id.etUserName);
        etPassword = (EditText) findViewById(R.id.etPassword);
        btnLogin = (Button) findViewById(R.id.btnLogin);

        btnLogin.setOnClickListener(new View.OnClickListener() {
            @Override
            public void onClick(View v) {

                String username = etUsername.getText().toString();
                String password = etPassword.getText().toString();

                //put the product info as key-values pair in HashMap
                Map<String,String> params_create = new HashMap<String,String>();
                params_create.put("id",username);
                params_create.put("pw",password);

                //postData method to use Volley to update new product details in database
                postData(url_login,params_create);


            }
        });

    }


    public void postData(String url, Map params){
        //create a RequestQueue for Volley
        RequestQueue requestQueue = Volley.newRequestQueue(this);


        Log.i("tss",url);
        //create StringRequest for http post web request to send new product info to database
        StringRequest stringRequest = new StringRequest(Request.Method.POST, url,
                //response from server
                new Response.Listener<String>() {

                    @Override
                    public void onResponse(String response) {


                        Log.i("tss","===>"+response+"<===");


                        if (response.equals("Error"))
                        {
                            Toast.makeText(getApplicationContext(),"Error in updating database",
                                    Toast.LENGTH_LONG).show();
                        }
                        else if(response.equals("Success"))
                        {
                            Toast.makeText(getApplicationContext(),"Login Successful",
                                    Toast.LENGTH_LONG).show();
                            finish();
                            //load the AllProductActivity with updated ListView
                            Intent i = new Intent (getApplicationContext(), AllProductsActivity.class);
                            startActivity(i);
                        } 

                        else

                            Toast.makeText(getApplicationContext(),"Failed to Login",Toast.LENGTH_LONG).show();
                                  
                    }
                },
                //error in Volley
                new Response.ErrorListener() {
                    @Override
                    public void onErrorResponse(VolleyError error) {
                        // handle error
                        Toast.makeText(getApplicationContext(),"Error in accessing database",Toast.LENGTH_LONG).show();
                    }
                }
        ) {
            @Nullable
            @Override
            // to send product info stored in HashMap params_create to server via HTTP Post
            protected Map<String, String> getParams() {
                return params;
            }
        };
        //add StringRequest to Volley Queue
        requestQueue.add(stringRequest);
    }
}










Try SQL injection
enter username as 1' or '1' = '1
and 
password as 1' or '1' = '1
you will notice that the login will be successful

You will still get a success response
 
I will discuss in class on how to deal with SQL injection with a simple modification.
u can use the above code for the time being.























Try it out with 
username:  1' or '1
password:   1' or '1


SELECT * FROM users WHERE userid = '1' or '1' and password ='2' or '2'Success

Comments

Post a Comment

Popular posts from this blog

Lab 6: Using split

  Using split https://www.w3schools.com/java/tryjava.asp?filename=demo_compiler import java.util.* ; public class Main { public static void main ( String [] args ) { // ArrayList to store product info in Hashmap for ListView ArrayList < HashMap < String , String >> productsList = new ArrayList < HashMap < String , String >>(); String result = "1;Long-grain rice, not parboiled, WKB;88.00:7;Pineapple King;19.00:11;Oat Bran;1.00:12;Apple;20.00:14;Soya Bean;2.00:" ; System . out . println ( result + "\n\n" ); String [] products = result . split ( " : " ); for ( int i = 0 ; i < products . length ; i ++) { //System.out.println(products[i]); String [] details = products [ i ]. split ( " ; " ); String id = details [ 0 ]; String name = details [ 1 ]; String price = details [ 2 ]; ...
Read more