Secure PHP Login Script

Discussion in 'PHP' started by bmarshall.0511, Jul 24, 2008.

  1. bmarshall.0511

    bmarshall.0511 New Member

    Joined:
    Jul 20, 2008
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    0
    Occupation:
    Web Developer
    Location:
    Fort Worth, TX
    Home Page:
    http://www.locatestyle.com
    Alright so after many people asking me to post the login script I use for my site at locatestyle.com, I made two functions. Now these functions do not include everything that is used for the login procedure on locatestyle.com due to the fact I don't want everyone to know how the complete script works on there. Figure if you know completely how it works, the easier it is to find security flaws. Now granted this could be more secure by using cookies in conjunction with a column in the database for the cookie value to be stored but here's the basis. Let me know what you think and if you run into any errors.

    PHP:
    function doLogin($username,$password) {
        if(
    $_SERVER['SERVER_NAME'] == URL) {
            
    $find_user mysql_query("SELECT * FROM ".USERS_TABLE." WHERE username = '$username' AND password = '$password' LIMIT 1");
            if(
    mysql_num_rows($find_user) == 1) {
                
    $user mysql_fetch_array($find_user);
                if(
    $user['active'] == 1) {
                    
    $update_login mysql_query("UPDATE ".USERS_TABLE." SET last_login = '".time()."',login_ip = '".$_SERVER['REMOTE_ADDR']."', WHERE id = '".$user['id']."'");
                    
    $_SESSION['id'] = $user['id'];
                    
    mysql_free_result($find_user);
                } else {
                    
    $login_error "Your account has not been activated yet.";
                }
            } else {
                
    $login_error "Wrong username/password.";
            } 
        } else {
            die(
    "You do not have permission to login to this site.");
        }
    }

    function 
    checkLogin() {
        if(
    $_SESSION['id'] != '') {
            
    $user mysql_fetch_array(mysql_query("SELECT * FROM ".USERS_TABLE." WHERE id = '".$_SESSION['id']."' LIMIT 1"));
            if(
    $user['login_ip'] == $_SERVER['REMOTE_ADDR']) {
                
    $expired $user['last_login'] + 600;
                if(
    time() >= $expired_time) {
                    
    session_destroy();
                    
    header('Location: index.php');
                } else {
                    
    $update_login mysql_query("UPDATE ".USERS_TABLE." SET last_login = '".time()."' WHERE id = '".$user['id']."'");
                }
            } else {
                
    session_destroy();
                
    header('Location: index.php');
            }
        }
    }
    Now if your new to PHP and don't know what you need to change or how or even what columns you need in your table don't be afraid to ask.
     
  2. XXxxImmortalxxXX

    XXxxImmortalxxXX New Member

    Joined:
    Jun 27, 2007
    Messages:
    561
    Likes Received:
    19
    Trophy Points:
    0
    WoW nice thankyou for this information :)
     
  3. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,375
    Likes Received:
    388
    Trophy Points:
    83
    Nice information.
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice