How can I implement an user login feature into my hotel checkin system?

Chera Robinson
Chera Robinson used Ask the Experts™
on
Hello! I'm a newbie in programming and my first project it's an checkin system for a hotel. The system it's looking like this: first of all, the user will enter his name, check-in, check-out date,  the numbers of rooms that he wants to rent, number of people that will stay in a room, and the email address(all this done in the register.php page). After he'll enter this details, an email will be sent to him where he'll have a reservation number and the details about his reservation. After this, he'll go on an page(login.php) where he'll enter this reservation code and start the check-in process for each room, for example if he choosed 2 rooms, he'll make first the checkin for the first room then for the second(this should be done in the checkin.php page).If the checkin process was never made, it will start, otherwise an message will be shown that will say that the code was used or it's incorrect, it depends. What I want help it's with the login process and the starting of the checkin, I managed to send that email, generate that code but I can't login and start the checkin... I want to use only PostgreSQL, not MYSQL. Here it's the login.php:
<?php

	ob_start();
	 $error = false;
	// Errors reporting, used if needed
	error_reporting(E_ALL);
	ini_set('display_errors', 'on');

	// General configuration like base, used if needed
	include_once ('include/config.inc.php');

	// Mail functions
	include_once ('include/mail.functions.php');

	// Start session if needed
	session_start();

	// DBConn
	include_once ('class/DB/DBConn.includeall.php');
	$db = new DBConn(NULL);

	// Includere clasa login
	require_once ('class/class_login.php');

	// Set up current language
	$lang = "ro";
	$_SESSION[PRE.'lang'] = $lang;

	$access = 0;
	if (isset($_POST['login'])) {
	    //update action
	if(isset($_POST['user']) &&isset($_POST['pass_login']) ==$result){
		echo "login success";
	}
	else{
		  $error = true;
	}
}


?>

<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">

	<head>
		<!-- <base href="http://dev.incorom.local/ticketing/www/login.php" /> -->
		<title>Login</title>
		<?php
			include('include/links.php');
			include('include/scripts.php');
		?>
	</head>

	<body style="display: block !important;" ng-cloak="" ng-class="{ 'layout-fixed' : app.layout.isFixed, 'layout-boxed' : app.layout.isBoxed, 'layout-dock' : app.layout.isDocked, 'layout-material': app.layout.isMaterial, 'aside-offscreen' : app.sidebar.isOffscreen, 'aside-mini' : app.sidebar.isMini, 'aside-right' : app.sidebar.isRight, 'footer-hidden': app.footer.hidden, 'in-app': !$state.includes('page')}">

		<div class="animated fadeOutZoom">
			<div class="container container-sm animated fadeInDown">
				<div class="center-block mt-xl">
					<img src="images/logo_iconlab.png" alt="Image" class="center-block img-rounded">
					<div class="panel">
						<div class="panel-body">
							<p class="pv text-bold">Date de logare</p>
							<form class="mb-lg" method="post" action="login.php" id="form">

							<div class="row">
								<div class="col-md-12">
									<div class="form-group has-feedback mb">
										<input type="text" placeholder="User" autocomplete="off" class="form-control" name="user_login" /><span class="fa fa-envelope form-control-feedback text-muted"/></span>
									</div><br>
									<div class="form-group has-feedback">
										<input id="exampleInputPassword1" type="text" placeholder="Numar rezervare" class="form-control" name="pass_login" /><span class="fa fa-lock form-control-feedback text-muted"></span>
									</div>
									<div>
										<label>
											<input type="checkbox" value="1"  name="remember_me"> Tine-ma minte
										</label>
									</div>
								</div>
								<div class="col-md-12">
									<button type="submit" class="btn btn-block btn-info btnblue mb" name="login" value="login">Login</button>
									<button type="submit" class="btn btn-block btn-info btnblue mb login" name="register" value="register">Inregistrare</button>
								</div>

							</form>
							<?php if($error){ ?>
	 <script> alert ("S-a produs o eroare la validarea formularului. Probabil utilizator nu exista in baza de date.")</script>
<?php } ?>
						</div>
					</div>
				</div>
			</div>
		</div>
	</body>

</html>
<?php
ob_end_flush();
?>

Open in new window

And here it's the class_login that will process the login:
<?PHP


function session_defaults() {

	$_SESSION[PRE.'logged'] = false;
	$_SESSION[PRE.'uid'] = 0;
	$_SESSION[PRE.'username'] = '';

}

class Login {
	var $db = null;
	var $failed = false;

	function Login($db, $id=0) {
		$this->db = $db;
		if (isset($_SESSION[PRE."logged"]) && $_SESSION[PRE.'logged']==true) {
			$this->_checkSession();
		}
	}


	function _checkLogin($username, $password) {

		$username = $this->db->EscapeData($username);
		$password = $this->db->EscapeData($password);

		$sql = "SELECT tu.* FROM tregister tu WHERE UPPER(tu.utilizator) = UPPER('" . $username . "') AND tu.parola = '" . $password . "' AND tu.activ = 1 ";

		$res = $this->db->DbGetAll($sql);
		if ( $res != false )
		{
			$this->_setSession($res[0]);
			return true;
		}
		else {
			$this->failed = true;
			$this->_logout();
		}

		return false;
	}

	function _setSession($values, $init = true) {

		$this->id = $values['id'];

		$_SESSION[PRE . 'uid'] = $values['id'];
		$_SESSION[PRE . 'username'] = strtoupper(htmlspecialchars($values['utilizator']));
		$_SESSION[PRE . 'role'] = $values['tip'];
		$_SESSION[PRE . 'logged'] = true;

		if ($init) {
			$session = session_id();
			$ip = $_SERVER['REMOTE_ADDR'];
			$sql = "UPDATE tutilizator SET sesiune = '$session', ip = '$ip', lastlog=now() WHERE " .
				"id = $this->id";

			$this->db->DbQuery($sql);

		}
	}


	function _checkSession() {

		$username = $_SESSION[PRE.'username'];
		$session = session_id();
		$ip = $_SERVER['REMOTE_ADDR'];

		$sql = "SELECT id FROM tregister WHERE " .
			"(utilizator = '$username') AND " .
			"(sesiune = '$session') AND (ip = '$ip')";
		$res = $this->db->DbGetAll($sql);

		if ( count($res) > 0) {
			$this->_setSession($res[0], false);
		}
		else
		{
			$this->_logout();
		}
	}

	function _logout() {
		session_defaults();
	}

}

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
ste5anSenior Developer

Commented:
I hope it is an educational project.. Plain Text Offenders Developers FAQ.

Store only salted (per user) hashed passwords. Not plain text. E.g. by using password_hash().

Author

Commented:
Hello! Yes, it’s an educational project, if it was a payed one I would said. Well, I don’t need an password, I just need an email and an code that it’s an MD5 random string
Scott FellDeveloper & EE Moderator
Fellow 2018
Most Valuable Expert 2013

Commented:
The first thing to do is list out the different functions you need in a general format. From that information you should be able to create a simple flow chart and finally detail the fields you need. Then create your database and then work on your code.

1) Hotel information
  • Address
  • Contact info
  • list of amenities
  • Info for website

2) Inventory of rooms
  • ID that links room to hotel
  • Room number
  • Number of Queen Beds
  • Number of Double Beds
  • Number of Couch Beds
  • Smoking/non
  • Pets yes/no
  • List of other room related amenities
  • Notes
  • Info for website

3) Customers
  • Name
  • Address
  • City
  • St
  • Zip
  • Phone
  • Email
  • Notes
  • Username
  • Password

4)Bookings
  • BookingID
  • HotelID
  • RoomID
  • CustomerID
  • CheckInDate
  • CheckOutDate
  • RatePerNight
  • BookingType (Guest, Employee, Reservation only, No booking/Repairs)
  • Notes

5)Sales
  • SalesOrderID
  • CustomerID
  • BookingID
  • DateCreated
  • NumberOfNights
  • Rate
  • Discount
  • Tax
  • Notes

6)Payments
  • PaymentID
  • SalesOrderID
  • PaymentAmount
  • PaymentType (Cash,check, CreditCard etc)
  • PaymentDate

7)WebLogIns
  • CustomerID
  • IP
  • Timestamp
  • Page

This is a very basic start and is in no way ready for something final. But it gives you a good idea.  

The first thing you need is the inventory of rooms that are linked to the hotel.  Next you need to know what date range any one room is available. When a guest logs in, you need a table for their contact information that includes their log in as well as a table that tracks their history (web logins).  I think you can see how this works.   The key is you need to start with this kind of thinking until you get the exact information you need. Once you have that and develop your needed database tables, I suggest you post a new question in our sql database topic asking if the tables are properly normalized for a website database as well as asking about proper indexing.

Now you can start working on layouts for each required screen, and finally the back end coding required to make each screen possible.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Scott FellDeveloper & EE Moderator
Fellow 2018
Most Valuable Expert 2013

Commented:
The way to get the most of a Question and Answer forum like this is to hone your question to just one item per thread such as just the log in part, or just the database layout etc.

Author

Commented:
If you can help me with at least the login...
Scott FellDeveloper & EE Moderator
Fellow 2018
Most Valuable Expert 2013

Commented:
The one thing I can quickly see with your log in is you are making usernames not case sensitive and possibly using clear text passwords.

SELECT tu.* FROM tregister tu WHERE UPPER(tu.utilizator) = UPPER('" . $username . "') AND tu.parola = '" . $password . "' AND tu.activ = 1

Open in new window



By converting the username to all upper case is fine as long as you have logic on registration that already converts to upper meaning the username cheararobinson and CheraRobinson are the same.  

The bigger issue from your select statement is the passwords you are storing are probably cleartext.  What you want to do is store your passwords as a hash.  This means your select statement would only have have
SELECT tu.* FROM tregister tu WHERE UPPER(tu.utilizator) = UPPER('" . $username . "') 

Open in new window

The first thing you want to check in the results is the password field (which will be a hash) match's the password entered that you ran through your hashing algo matches.  

You may want to check that tu.activ = 1 after the log in if you want to give a personalized message that the account is not active. Otherwise you can leave it in the WHERE clause.

Author

Commented:
Right now I don’t care about the password, I care only about the cod_rezervare that it’s an MD5 that user will use to login
Scott FellDeveloper & EE Moderator
Fellow 2018
Most Valuable Expert 2013

Commented:
When a user is created/registered, you enter in a username and password. The password is run through your hash and that is what is stored in the database.    

$raw_password = $_POST['password'];
$hash_password = md5($raw_password);

Then store the $hash_password in your database.  Now, the user of course will not know their hashed password, they just enter in the password that they know.  

When the user logs in, they enter their  username and password.   Your select statement will look something like
$username = $_POST['username'];
$raw_password = $_POST['password'];
$hash_password = md5($raw_password);
$sql = "SELECT password from MyTable WHERE username = ".$username

if ($row['password'] == $hash_password ){
    // password is good
} else {
   // password is bad
}

Open in new window


Some notes to above.  md5 is outdated and there are other algo's that should be used. Also, my example is for ease of reading and your sql statement should be paramterized and not concatenated to prevent sql injection.
ste5anSenior Developer

Commented:
$username = $_POST['username'];
$raw_password = $_POST['password'];
$sql = "SELECT password_hash, salt from MyTable WHERE username = ".$username
$options = [ 'salt' => $row['salt'] ];
$hash_password = password_hash($raw_password, PASSWORD_BCRYPT, $options)
if ($row['password_hash'] == $hash_password ){
    // password is good
} else {
   // password is bad
}

Open in new window

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial