Secure PHP Login Script

bmarshall.0511

Alright so after many people asking me to post the login script I use for my site at locatestyle.com, I made two functions. Now these functions do not include everything that is used for the login procedure on locatestyle.com due to the fact I don't want everyone to know how the complete script works on there. Figure if you know completely how it works, the easier it is to find security flaws. Now granted this could be more secure by using cookies in conjunction with a column in the database for the cookie value to be stored but here's the basis. Let me know what you think and if you run into any errors.

PHP Code:


			
function doLogin($username,$password) {

    if($_SERVER['SERVER_NAME'] == URL) {

        $find_user = mysql_query("SELECT * FROM ".USERS_TABLE." WHERE username = '$username' AND password = '$password' LIMIT 1");

        if(mysql_num_rows($find_user) == 1) {

            $user = mysql_fetch_array($find_user);

            if($user['active'] == 1) {

                $update_login = mysql_query("UPDATE ".USERS_TABLE." SET last_login = '".time()."',login_ip = '".$_SERVER['REMOTE_ADDR']."', WHERE id = '".$user['id']."'");

                $_SESSION['id'] = $user['id'];

                mysql_free_result($find_user);

            } else {

                $login_error = "Your account has not been activated yet.";

            }

        } else {

            $login_error = "Wrong username/password.";

        } 

    } else {

        die("You do not have permission to login to this site.");

    }

}



function checkLogin() {

    if($_SESSION['id'] != '') {

        $user = mysql_fetch_array(mysql_query("SELECT * FROM ".USERS_TABLE." WHERE id = '".$_SESSION['id']."' LIMIT 1"));

        if($user['login_ip'] == $_SERVER['REMOTE_ADDR']) {

            $expired = $user['last_login'] + 600;

            if(time() >= $expired_time) {

                session_destroy();

                header('Location: index.php');

            } else {

                $update_login = mysql_query("UPDATE ".USERS_TABLE." SET last_login = '".time()."' WHERE id = '".$user['id']."'");

            }

        } else {

            session_destroy();

            header('Location: index.php');

        }

    }

}

Now if your new to PHP and don't know what you need to change or how or even what columns you need in your table don't be afraid to ask.

XXxxImmortalxxXX

WoW nice thankyou for this information

shabbir

Nice information.

bmarshall.0511 Newbie Member
25Jul2008,03:57	#1
	Alright so after many people asking me to post the login script I use for my site at locatestyle.com, I made two functions. Now these functions do not include everything that is used for the login procedure on locatestyle.com due to the fact I don't want everyone to know how the complete script works on there. Figure if you know completely how it works, the easier it is to find security flaws. Now granted this could be more secure by using cookies in conjunction with a column in the database for the cookie value to be stored but here's the basis. Let me know what you think and if you run into any errors. PHP Code: function doLogin($username,$password) { if($_SERVER['SERVER_NAME'] == URL) { $find_user = mysql_query("SELECT * FROM ".USERS_TABLE." WHERE username = '$username' AND password = '$password' LIMIT 1"); if(mysql_num_rows($find_user) == 1) { $user = mysql_fetch_array($find_user); if($user['active'] == 1) { $update_login = mysql_query("UPDATE ".USERS_TABLE." SET last_login = '".time()."',login_ip = '".$_SERVER['REMOTE_ADDR']."', WHERE id = '".$user['id']."'"); $_SESSION['id'] = $user['id']; mysql_free_result($find_user); } else { $login_error = "Your account has not been activated yet."; } } else { $login_error = "Wrong username/password."; } } else { die("You do not have permission to login to this site."); } } function checkLogin() { if($_SESSION['id'] != '') { $user = mysql_fetch_array(mysql_query("SELECT * FROM ".USERS_TABLE." WHERE id = '".$_SESSION['id']."' LIMIT 1")); if($user['login_ip'] == $_SERVER['REMOTE_ADDR']) { $expired = $user['last_login'] + 600; if(time() >= $expired_time) { session_destroy(); header('Location: index.php'); } else { $update_login = mysql_query("UPDATE ".USERS_TABLE." SET last_login = '".time()."' WHERE id = '".$user['id']."'"); } } else { session_destroy(); header('Location: index.php'); } } } Now if your new to PHP and don't know what you need to change or how or even what columns you need in your table don't be afraid to ask. carterlangley likes this

XXxxImmortalxxXX Invasive contributor
25Jul2008,04:19	#2
	WoW nice thankyou for this information

shabbir Go4Expert Founder
25Jul2008,09:39	#3
	Nice information.

Secure PHP Login Script

Already a member?

Not a member yet?

Search Go4Expert

Latest Forum Topics

Find Us On Facebook

Latest Articles

User Name:		Save
Password