On 3/14/06, IG <php@xxxxxxxxxxxxxxxxxxxx> wrote:
> Hello.
>
> I got a password protected login script of t'internet a while back and
> have implemented it. I just want to make sure it is secure. I am aware
> that the password is stored directly in the database and I don't think
> this is a good thing. If the following could be looked at to see if
> there are any improvements I would be most grateful. The script is then
> called on each page that requires password protection thus-
> <? session_start();
> include('login.php');
> ?>
>
>
> Here is the code for login.php-
>
>
>
> <?
> if(!isset($username) | !isset($password)) {
> // escape from php mode.
> ?>
> <html><head></head><body>
>
> <form action="<?=$PHP_SELF?><?if($QUERY_STRING){ echo"?".
> $QUERY_STRING;}?>" method="POST" name="customerlogin" id="customerlogin">
>
> <table width="300">
> <tr>
> <td>Username:</td>
> <td><input name="username" type="text"></td>
> </tr>
> <tr>
> <td>Password:</td>
> <td><input name="password" type="password"></td>
> </tr>
> <tr>
> <td> </td>
> <td><input type="submit" class="formy"
> value="Login>>>"></td></tr></table>
> </form>
>
> </body>
> </html>
> <?
> exit();
> }
>
> // If all is well so far.
> session_register("table_id");
> session_register("name");
> session_register("Forenames");
> session_register("Surname");
> session_register("username");
> session_register("password");
> session_register("pw"); // register username and password as session
> variables.
>
>
> $link = mysql_connect("MYSQL_DATABASE_SERVER", "MYSQL_USERNAME",
> "MYSQL_PW") or die("<--Could not connect-->");
> mysql_select_db("MYSQL_DATABASE_NAME") or die("<-- Could not select
> database-->");
> $sql = "SELECT `id`, `Surname`, `Forenames`, `username`, `pw` FROM
> MYSQL_TABLE_NAME WHERE `username` = '$username'";
> $result = mysql_query($sql) or die("Query failed 888");
> list($table_id, $Surname, $Forenames, $un, $pw) = mysql_fetch_row($result);
>
> $numrows = mysql_num_rows($result);
>
> if($numrows != "0" AND $password == $pw) {
> $valid_user = 1;
> $name = $Forenames." ".$Surname;
> }
> else {
> $valid_user = 0;
> }
>
> // If the username exists and pass is correct, don't pop up the login
> code again.
> // If info can't be found or verified....
>
> if (!($valid_user))
> {
> session_unset(); // Unset session variables.
> session_destroy(); // End Session we created earlier.
> // escape from php mode.
> ?>
>
> <html><head></head><body>
>
>
> <form action="<?=$PHP_SELF?><?if($QUERY_STRING){ echo"?".
> $QUERY_STRING;}?>" method="POST">
>
>
> Incorrect username and/or password. Please enter correct ones to log in:
>
> <table width="300">
>
> <tr>
> <td>Username:</td>
> <td><input name="username" type="text"></td>
> </tr>
> <tr>
> <td>Password:</td>
> <td><input name="password" type="password"></td>
> </tr>
> <tr>
> <td> </td>
> <td><input type="submit" class="formy"
> value="Login>>>"></td></tr></table>
> </body>
> </html>
> <?
> exit();
> }
> ?>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
>
You should encrypt the password in the database, with a one-way hash,
then you simply compare what's in your db to what the login form
submits.
That way if you get hacked, or your admin goes postal, you won't have
people's unencrypted passwords in the database.
--
Anthony Ettinger
Signature: http://chovy.dyndns.org/hcard.html
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
