Ok, so here is the deal. I'm trying to make a login system that is more secure (and make it better in general), but I am having a bit of trouble. I relize some of my problems but I can not think of another way to fix them. So here is my code. My SQL command: Code: CREATE TABLE users ( id INT(55) NOT NULL AUTO_INCREMENT, username VARCHAR(255) NOT NULL, password VARCHAR(255) NOT NULL, name VARCHAR(144) NOT NULL, PRIMARY KEY ( id ) ); conf.php PHP: <?php $sqlhost = "<!--Your mysql host-->"; $sqluser = "<!--Your mysql username-->"; $sqlpass = "<!--Your mysql password-->"; $sqldb = "<!--The DB you just made-->"; $con = mysql_connect( $sqlhost, $sql_user, $sqlpass ) or die( "Error connecting to [URL=http://www.go4expert.com/articles/introduction-sql-server-t34535/]sql server[/URL]: ".mysql_error() ); $db = mysql_select_db( $sqldb, $con ) or die( "Error selecting db: ".mysql_error() ); ?> register.php PHP: <html> <head> <title>Regtistration</title> </head> <body> <?php if( $_GET['bad'] == '1' ) { ?> <p class="bad">The username you entered is unavailable. <br />Pleae try again.</p> <?php } ?> <form action="registration.php" method="post"> <table width="300" > <tr><td colspan="2">Please Register.</td></tr> <tr><td>Username:</td><td><input type="text" name="user" /></td></tr> <tr><td>Password:</td><td><input type="password" name="password" /></td></tr> <tr><td>Real Name:</td><td><input type="text" name="name" /></td></tr> <tr><td colspan="2"><input type="submit" name="register" value="Register" /></td></tr> </table> </form> </body> </html> registration.php PHP: <?php require( "conf.php" ); if( isset( $_POST['register'] ) ) { $user = stripslashes( $_POST['user'] ); $password = md5( addslashes( "j!2B".$_POST['password']."^nmH" ) ); $name = stripslashes( $_POST['name'] ); $rcheck = mysql_query( "SELECT id FROM users WHERE username = '$user' " ) or die("Error validating username: ".mysql_error()); if( mysql_num_rows( $rcheck ) == null ) { $reg = mysql_query( "INSERT INTO users VALUES( '', '$user', '$password', '$name' ) " ) or die( "Error registering: ".mysql_error() ); header( "Location: index.php" ); } else { header( "Location: register.php?bad=1" ); } } ?> index.php PHP: <html> <head> <title>Please Login</title> </head> <body> <?php if( $_GET['bad'] == '1' ) { ?> <p class="bad">The username or password you entered was incorrect. <br />Pleae try again.</p> <?php } ?> <?php if( $_GET['bad'] == '2' ) { ?> <p class="bad">You must be logged in to go there.</p> <?php } ?> <form action="login.php" method="post"> <table> <tr><td>Please Login</td></tr> <tr><td>Username:</td><td><input type="text" name="user" /></td></tr> <tr><td>Password:</td><td><input type="password" name="password" /></td></tr> <tr><td colspan="2"><a href="register.php">Registration</a></td></tr> <tr><td colspan="2"><input type="submit" name="login" value="Login" /></td></tr> </table> </form> </body> </html> login.php PHP: <?php require( 'conf.php' ); if( isset( $_POST['login'] ) ) { $user = stripslashes( $_POST['user'] ); $password = stripslashes( md5( "j!2B".$_POST['password']."^nmH" ) ); $check = mysql_query( "SELECT id FROM users WHERE username = '$user' AND password = '$password'" ) or die( "Error validating user info: ".mysql_error() ); $count = mysql_num_rows( $check ); if( $count == "1" ) { session_start(); $_SESSION['id'] = mysql_fetch_array( $check ); $_SESSION['username]'] = $user; header( "Location: welcome.php" ); } else { header( "Location: index.php?bad=1" ); } } ?> welcome.php PHP: <?php session_start(); if( $_SESSION['id'] == null ) { header( "Location: index.php?bad=2" ); } else { ?> <html> <head> <title>Welcome User</title> </head> <body> <h1>Welcome User</h1> <a href="logout.php">Logout</a> </body> </html> <?php } ?> And the little script added to each page to check if they log in PHP: <?php session_start(); if( $_SESSION['id'] == null ) { header( "Location: index.php?bad=2" ); } else { ?>
Firstly, you are allowing anyone to register an account - if that is the case, why have a user account at all? Account verification should be a two-stage process, if true secure account creation and login is required. Secondly, you are hard-coding variables into your SQL code - this is the easiest way to allow hackers to use SQL injection .... huge no-no !!! If you want a secure login, use SSL and spend some cash on a secure certificate (Verisign or Thawte are the two largest companies) - all transactions will then be encrypted. Then use stored procedures at the database level - you pass into the stored procedure the parameters you need (in this case the username and password). And make sure the encryption of the password is done at the database level, within the stored procedure - both for creating the user account and for verifying the user details.
