Hello all,
I have the following script called login.inc which I include at the
beginning of each page on my customer control panel. Basically it checks to
see if a session has been created with user details and if it has it carries
on with the rest of the page and if not the login screen is printed.
My question is, how secure is this? I have the password, username etc in a
MYSQL database but I haven't encrypted it (don't know how)
Should I have login.inc in a folder below my public_html directory?
I have removed some details such as passwords and swapped that with question
marks.
Many thanks,
Ian Gray
Here is the code?
<?
session_start(); // start session.
if(!isset($username) | !isset($password)) {
// escape from php mode.
?>
<html xmlns="http://www.w3.org/1999/xhtml";>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Customer Login</title>
<link href="login.css" rel="stylesheet" type="text/css" />
<script language="JavaScript" type="text/javascript">
</head>
<body onLoad="self.focus();document.customerlogin.username.focus()" >
<form action="<?=$PHP_SELF?><?if($QUERY_STRING){ echo"?". $QUERY_STRING;}?>"
method="POST" name="customerlogin" id="customerlogin">
<table width="500" height="320" border="1" align="center" cellpadding="0"
cellspacing="0" bordercolor="#000033" background="images/login.jpg">
<tr>
<td valign="top"><table width="500" border="0" cellspacing="0"
cellpadding="0">
<tr>
<td bgcolor="#343399"><div align="right"><img src="images/cl.jpg"
alt="Customer Login>>>" width="400" height="40" /></div></td>
</tr>
<tr>
<td><p> </p>
<p> </p></td>
</tr>
<tr>
<td class="texty"><div align="center">Customer control panel. Please
enter
your username and password into the boxes below:</div></td>
</tr>
<tr>
<td><table width="300" border="0" align="center" cellpadding="0"
cellspacing="5">
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td class="bluey">Username:</td>
<td><input name="username" type="text" class="formy"></td>
</tr>
<tr>
<td class="bluey">Password:</td>
<td><input name="password" type="password" class="formy"></td>
</tr>
<tr>
<td> </td>
<td>
<div align="center">
<input type="submit" class="formy"
value="Login>>>">
</div></td></tr>
</table></td>
</tr>
<tr>
<td> </td>
</tr>
</table></td>
</tr>
</table></form>
</body>
</html>
<?
exit();
}
// If all is well so far.
session_register("IIDD");
session_register("firstname");
session_register("username");
session_register("password"); // register username and password as session
variables.
// Here you would check the supplied username and password against your
database to see if they exist.
// For example, a MySQL Query, your method may differ.
$link = mysql_connect("?????", "?????", "?????") or die("Could not
connect");
mysql_select_db("s??????") or die("Could not select database");
$sql = mysql_query("SELECT customerID, password, firstname FROM
customer_details WHERE username = '$username'");
$fetch_em = mysql_fetch_array($sql);
$numrows = mysql_num_rows($sql);
if($numrows != "0" & $password == $fetch_em["password"]) {
$valid_user = 1;
}
else {
$valid_user = 0;
}
$firstname = $fetch_em["firstname"];
$IIDD = $fetch_em["customerID"];
// If the username exists and pass is correct, don't pop up the login code
again.
// If info can't be found or verified....
if (!($valid_user))
{
session_unset(); // Unset session variables.
session_destroy(); // End Session we created earlier.
// escape from php mode.
?>
<html xmlns="http://www.w3.org/1999/xhtml";>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Customer Login</title>
<link href="login.css" rel="stylesheet" type="text/css" />
</head>
<body>
<br />
<form action="<?=$PHP_SELF?><?if($QUERY_STRING){ echo"?". $QUERY_STRING;}?>"
method="POST">
<table width="500" height="320" border="1" align="center" cellpadding="0"
cellspacing="0" bordercolor="#000033" background="images/login.jpg">
<tr>
<td valign="top"><table width="500" border="0" cellspacing="0"
cellpadding="0">
<tr>
<td bgcolor="#343399"><div align="right"><img src="images/cl.jpg"
alt="Customer Login>>>" width="400" height="40" /></div></td>
</tr>
<tr>
<td><p> </p>
<p> </p></td>
</tr>
<tr>
<td class="texty"><div align="center">Incorrect username and/or
password. Please enter correct ones to log in:</div></td>
</tr>
<tr>
<td><table width="300" border="0" align="center" cellpadding="0"
cellspacing="5">
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td class="bluey">Username:</td>
<td><input name="username" type="text" class="formy"></td>
</tr>
<tr>
<td class="bluey">Password:</td>
<td><input name="password" type="password" class="formy"></td>
</tr>
<tr>
<td> </td>
<td>
<div align="center">
<input type="submit" class="formy"
value="Login>>>">
</div></td></tr>
</table></td>
</tr>
<tr>
<td> </td>
</tr>
</table></td>
</tr>
</table></form>
</body>
</html>
<?
exit();
}
?>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
