1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Secure Login System Help

Discussion in 'PHP' started by Xora, Oct 24, 2008.

  1. Xora

    Xora New Member

    Joined:
    Oct 24, 2008
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    0
    Occupation:
    Web Design/Owner of Joken Design
    Location:
    Grand Junction
    Home Page:
    Ok, so here is the deal. I'm trying to make a login system that is more secure (and make it better in general), but I am having a bit of trouble. I relize some of my problems but I can not think of another way to fix them. So here is my code.

    My SQL command:
    Code:
    CREATE TABLE users ( 
    id INT(55) NOT NULL AUTO_INCREMENT, 
    username VARCHAR(255) NOT NULL, 
    password VARCHAR(255) NOT NULL, 
    name VARCHAR(144) NOT NULL, 
    PRIMARY KEY ( id ) );
    
    conf.php
    PHP:
    <?php 
    $sqlhost 
    "<!--Your mysql host-->"
    $sqluser "<!--Your mysql username-->"
    $sqlpass "<!--Your mysql password-->"
    $sqldb "<!--The DB you just made-->"
      
    $con mysql_connect$sqlhost$sql_user$sqlpass ) or die( "Error connecting to [URL=http://www.go4expert.com/articles/introduction-sql-server-t34535/]sql server[/URL]: ".mysql_error() ); 
    $db mysql_select_db$sqldb$con ) or die( "Error selecting db: ".mysql_error() ); 
      
    ?>
    register.php
    PHP:
    <html> 
     <head> 
      <title>Regtistration</title> 
     </head> 
      
     <body> 
      <?php if( $_GET['bad'] == '1' ) { ?> 
    <p class="bad">The username you entered is unavailable. <br />Pleae try again.</p> 
    <?php ?> 
      <form action="registration.php" method="post"> 
       <table width="300" > 
        <tr><td colspan="2">Please Register.</td></tr> 
        <tr><td>Username:</td><td><input type="text" name="user" /></td></tr> 
        <tr><td>Password:</td><td><input type="password" name="password" /></td></tr> 
        <tr><td>Real Name:</td><td><input type="text" name="name" /></td></tr> 
        <tr><td colspan="2"><input type="submit" name="register" value="Register" /></td></tr> 
       </table> 
      </form> 
     </body> 
    </html>
    registration.php
    PHP:
    <?php 
    require( "conf.php" ); 
      
    if( isset( 
    $_POST['register'] ) ) 

     
    $user stripslashes$_POST['user'] ); 
     
    $password md5addslashes"j!2B".$_POST['password']."^nmH" ) ); 
     
    $name stripslashes$_POST['name'] ); 
      
     
    $rcheck mysql_query"SELECT id FROM users WHERE username = '$user' " ) or die("Error validating username: ".mysql_error()); 
     if( 
    mysql_num_rows$rcheck ) == null 
     { 
      
    $reg mysql_query"INSERT INTO users VALUES( '', '$user', '$password', '$name' ) " ) or die( "Error registering: ".mysql_error() ); 
      
    header"Location: index.php" ); 
     } 
     else 
     { 
      
    header"Location: register.php?bad=1" ); 
     } 

    ?>
    index.php
    PHP:
    <html> 
     <head> 
      <title>Please Login</title> 
     </head> 
      
     <body> 
    <?php if( $_GET['bad'] == '1' ) { ?> 
    <p class="bad">The username or password you entered was incorrect. <br />Pleae try again.</p> 
    <?php ?> 
    <?php if( $_GET['bad'] == '2' ) { ?> 
    <p class="bad">You must be logged in to go there.</p> 
    <?php ?> 
      <form action="login.php" method="post"> 
       <table> 
        <tr><td>Please Login</td></tr> 
        <tr><td>Username:</td><td><input type="text" name="user" /></td></tr> 
        <tr><td>Password:</td><td><input type="password" name="password" /></td></tr> 
       <tr><td colspan="2"><a href="register.php">Registration</a></td></tr> 
       <tr><td colspan="2"><input type="submit" name="login" value="Login" /></td></tr> 
       </table> 
      </form> 
     </body> 
    </html>
    login.php
    PHP:
    <?php 
    require( 'conf.php' ); 

    if( isset( 
    $_POST['login'] ) ) 

     
    $user stripslashes(  $_POST['user'] ); 
     
    $password stripslashesmd5"j!2B".$_POST['password']."^nmH" ) ); 

     
    $check mysql_query"SELECT id FROM users WHERE username = '$user' AND password = '$password'" ) or die( "Error validating user info: ".mysql_error() ); 

     
    $count mysql_num_rows$check ); 
     if( 
    $count == "1" 
     { 
      
    session_start(); 
      
    $_SESSION['id'] = mysql_fetch_array$check ); 
      
    $_SESSION['username]'] = $user
      
    header"Location: welcome.php" ); 
     } 
     else 
     { 
      
    header"Location: index.php?bad=1" ); 
     } 

    ?>
    welcome.php
    PHP:
    <?php 
    session_start
    (); 
    if( 
    $_SESSION['id'] == null 

     
    header"Location: index.php?bad=2" ); 

    else 

    ?> 
    <html> 
     <head> 
      <title>Welcome User</title> 
     </head> 
      
     <body> 
      <h1>Welcome User</h1> 
      <a href="logout.php">Logout</a> 
     </body> 
    </html> 
    <?php ?>
    And the little script added to each page to check if they log in
    PHP:
    <?php 
    session_start
    (); 
    if( 
    $_SESSION['id'] == null 

     
    header"Location: index.php?bad=2" ); 

    else 

    ?>
     
  2. pete_bisby

    pete_bisby New Member

    Joined:
    Nov 11, 2007
    Messages:
    48
    Likes Received:
    2
    Trophy Points:
    0
    Occupation:
    Software Developer/Analyst, PB
    Location:
    Manchester, England
    Home Page:
    Firstly, you are allowing anyone to register an account - if that is the case, why have a user account at all? Account verification should be a two-stage process, if true secure account creation and login is required.

    Secondly, you are hard-coding variables into your SQL code - this is the easiest way to allow hackers to use SQL injection .... huge no-no !!!

    If you want a secure login, use SSL and spend some cash on a secure certificate (Verisign or Thawte are the two largest companies) - all transactions will then be encrypted.

    Then use stored procedures at the database level - you pass into the stored procedure the parameters you need (in this case the username and password). And make sure the encryption of the password is done at the database level, within the stored procedure - both for creating the user account and for verifying the user details.
     

Share This Page