Go4Expert

Go4Expert (http://www.go4expert.com/)
-   PHP (http://www.go4expert.com/forums/php/)
-   -   Secure PHP Login Script (http://www.go4expert.com/forums/secure-php-login-script-t12418/)

bmarshall.0511 25Jul2008 03:57

Secure PHP Login Script
 
Alright so after many people asking me to post the login script I use for my site at locatestyle.com, I made two functions. Now these functions do not include everything that is used for the login procedure on locatestyle.com due to the fact I don't want everyone to know how the complete script works on there. Figure if you know completely how it works, the easier it is to find security flaws. Now granted this could be more secure by using cookies in conjunction with a column in the database for the cookie value to be stored but here's the basis. Let me know what you think and if you run into any errors.

PHP Code:

function doLogin($username,$password) {
    if(
$_SERVER['SERVER_NAME'] == URL) {
        
$find_user mysql_query("SELECT * FROM ".USERS_TABLE." WHERE username = '$username' AND password = '$password' LIMIT 1");
        if(
mysql_num_rows($find_user) == 1) {
            
$user mysql_fetch_array($find_user);
            if(
$user['active'] == 1) {
                
$update_login mysql_query("UPDATE ".USERS_TABLE." SET last_login = '".time()."',login_ip = '".$_SERVER['REMOTE_ADDR']."', WHERE id = '".$user['id']."'");
                
$_SESSION['id'] = $user['id'];
                
mysql_free_result($find_user);
            } else {
                
$login_error "Your account has not been activated yet.";
            }
        } else {
            
$login_error "Wrong username/password.";
        } 
    } else {
        die(
"You do not have permission to login to this site.");
    }
}

function 
checkLogin() {
    if(
$_SESSION['id'] != '') {
        
$user mysql_fetch_array(mysql_query("SELECT * FROM ".USERS_TABLE." WHERE id = '".$_SESSION['id']."' LIMIT 1"));
        if(
$user['login_ip'] == $_SERVER['REMOTE_ADDR']) {
            
$expired $user['last_login'] + 600;
            if(
time() >= $expired_time) {
                
session_destroy();
                
header('Location: index.php');
            } else {
                
$update_login mysql_query("UPDATE ".USERS_TABLE." SET last_login = '".time()."' WHERE id = '".$user['id']."'");
            }
        } else {
            
session_destroy();
            
header('Location: index.php');
        }
    }


Now if your new to PHP and don't know what you need to change or how or even what columns you need in your table don't be afraid to ask.

XXxxImmortalxxXX 25Jul2008 04:19

Re: Secure PHP Login Script
 
WoW nice thankyou for this information :)

shabbir 25Jul2008 09:39

Re: Secure PHP Login Script
 
Nice information.


All times are GMT +5.5. The time now is 06:04.