Ian Gray wrote: > Hello all, > My question is, how secure is this? I have the password, username etc in > a > MYSQL database but I haven't encrypted it (don't know how) The MySQL 'password' function at http://mysql.com would work. For something that is portable to non MySQL systems, you can use http://php.net/crypt > Should I have login.inc in a folder below my public_html directory? Ideally, *NO* you should not. It should be a in a directory that is *NOT* below your public_html directory. Make a directory called 'includes' or 'php' or something similar that is *NEXT* to your public_html directory. Then, using either .htaccess and: php_value include_path "./:/complete/path/from/root/of/server/to/includes" or perhaps http://php.net/set_include_path or http://php.net/set_ini you want to convince PHP that the directory you just created is in your include_path. > I have removed some details such as passwords and swapped that with > question > marks. Good! > <? > session_start(); // start session. > if(!isset($username) | !isset($password)) { This should be || and not |, really. > // escape from php mode. > ?> > > <html xmlns="http://www.w3.org/1999/xhtml";> ... > </html> > <? > exit(); > } > > // If all is well so far. > session_register("IIDD"); > session_register("firstname"); > session_register("username"); > session_register("password"); // register username and password as session > variables. Not such a good idea, maybe. They end up being in a file that *ANY* PHP script on your server can use. If you are on a shared server, that means *EVERY* other user on your machine that has access to PHP can read the username and password from your session files. What you might consider is storing their PHPSESSID into a table in your database with their username. You then can look them up with the PHPSESID that will be given back to you from their browser on each page. Also store the date/time, and update it to now() in every script/page. Anything older than X minutes, you should consider an expired login, and force them back to logging in again. > // Here you would check the supplied username and password against your > database to see if they exist. > // For example, a MySQL Query, your method may differ. > $link = mysql_connect("?????", "?????", "?????") or die("Could not > connect"); > mysql_select_db("s??????") or die("Could not select database"); > $sql = mysql_query("SELECT customerID, password, firstname FROM > customer_details WHERE username = '$username'"); If you use MySQL's 'password' function, you can do like: "SELECT customer_ID, password = password('$password'), firstname FROM ..." You'll get either 1 or 0 if their password matches the encrypted version in your database, but you won't actually have their password stored in the database, and that's Good. If you want to use crypt, something more like: "SELECT ..., password, ... FROM ..."; . . . if (crypt($password, substr($fetch_em["password"], 0, 2)) == $fetch_em["password"]){ $valid_user = 1; } else{ $valid_user = 0; } > $fetch_em = mysql_fetch_array($sql); > $numrows = mysql_num_rows($sql); > > if($numrows != "0" & $password == $fetch_em["password"]) { > $valid_user = 1; > } > else { > $valid_user = 0; > } > > $firstname = $fetch_em["firstname"]; > $IIDD = $fetch_em["customerID"]; > // If the username exists and pass is correct, don't pop up the login code > again. > // If info can't be found or verified.... > > if (!($valid_user)) > { > session_unset(); // Unset session variables. > session_destroy(); // End Session we created earlier. > // escape from php mode. > ?> > <html xmlns="http://www.w3.org/1999/xhtml";> ... > </html> > <? > exit(); > } > ?> Since all the HTML in the two places I put ... is the same (right?) then that should be an include file, so you can't get them out of sync. Better yet, would be to re-structure your page so that the first form is just not there, and you only TRY to log in if (isset($_POST['username'])) So your page is more like this: <?php if (isset($_POST['username'])){ //check if they are kosher, and decide on $valid_user setting } if (!$valid_user){ ?> <HTML>login form</HTML> <?php exit; } ?> -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
