Hi Everybody
I've searched and changed this code, but I would like to know if this code is secure, Can someone please help me with that
Index.php
<table width=350 border=1 bgcolor=#3399FF>
<?php
//Se inicia la session
session_start();
$username = $_SESSION['username'];
$password = $_SESSION['password'];
//Chequea si hay username y password
if(!$username && !$password){
echo "Bienvenido Visitante! <br> <a href=login.php>Login</a> | <a href=register.php>Register</a>";
}else{
echo "Bienvenido ".$username." (<a href=logout.php>Salir</a>)";
echo "Aqui va la parte protegida ? ";
//echo "<table width=350 border=1 bgcolor=#3399FF>\n";
echo " <tr>\n";
echo " <td>Esta parte es protegida ?</td>\n";
echo " </tr>\n";
//echo "</table>\n";
}
?>
</table>
Login.php
<?php
session_start();
//Formulario para entrar
function index(){
echo "<form action='?act=login' method='post'>"
."Username: <input type='text' name='username' size='30'><br>"
."Password: <input type='password' name='password' size='30'><br>"
."<input type='submit' value='Login'>"
."</form>";
}
// Esta funcion chequea si la informacion es correcta
function login(){
//Toma la informacion del formulario
$username = $_REQUEST['username'];
$password = $_REQUEST['password'];
//conecta la base de datos
$connect = mysql_connect("localhost", "root", "");
if(!$connect){
die(mysql_error());
}
//Selecciona la base
$select_db = mysql_select_db("base_nombre");
if(!$select_db){
die(mysql_error());
}
//chequea si la informacion es correcta
$result = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");
$row = mysql_fetch_array($result);
$id = $row['id'];
$select_user = mysql_query("SELECT * FROM users WHERE id='$id'");
$row2 = mysql_fetch_array($select_user);
$user = $row2['username'];
if($username != $user){
die("Username incorrecto!");
}
$pass_check = mysql_query("SELECT * FROM users WHERE username='$username' AND id='$id'");
$row3 = mysql_fetch_array($pass_check);
$email = $row3['email'];
$select_pass = mysql_query("SELECT * FROM users WHERE username='$username' AND id='$id' AND email='$email'");
$row4 = mysql_fetch_array($select_pass);
$real_password = $row4['password'];
if($password != $real_password){
die("Password incorrecto!");
}
//Si todo es correcto crea las sesione y permite engresar
session_register("username", $username);
session_register("password", $password);
echo "Bienvenido, ".$username." Para continuar de click aqui en el <a href=index.php>Index</a>";
}
switch($act){
default;
index();
break;
case "login";
login();
break;
}
?>
Logout.php
<?php
session_start();
//Aqui se destruye la session
session_destroy();
echo "Usted no esta logueado!, seleccione <a href=index.php>Index</a> o <a href=login.php>Ingresar</a>";
?>
REgister.php
<?php
//Muestra el formulario de registro
function register_form(){
$date = date('D, M, Y');
echo "<form action='?act=register' method='post'>"
."Username: <input type='text' name='username' size='30'><br>"
."Password: <input type='password' name='password' size='30'><br>"
."Confirmar password: <input type='password' name='password_conf' size='30'><br>"
."Email: <input type='text' name='email' size='30'><br>"
."<input type='hidden' name='date' value='$date'>"
."<input type='submit' value='Register'>"
."</form>";
}
//Registra la informacion del usuario
function register(){
//Connecta la database
$connect = mysql_connect("localhost", "root", "");
if(!$connect){
die(mysql_error());
}
//Selectciona la database
$select_db = mysql_select_db("data_name");
if(!$select_db){
die(mysql_error());
}
//Informacion
$username = $_REQUEST['username'];
$password = $_REQUEST['password'];
$pass_conf = $_REQUEST['password_conf'];
$email = $_REQUEST['email'];
$date = $_REQUEST['date'];
//Apartir de aqui se empieza a chequear la informacion
if(empty($username)){
die("Favor digitar su username!<br>");
}
if(empty($password)){
die("Favor digitar su password!<br>");
}
if(empty($pass_conf)){
die("Favor confirmar su password!<br>");
}
if(empty($email)){
die("Favor digitar su email!");
}
//Chequeamos que el username no este en uso
$user_check = mysql_query("SELECT username FROM users WHERE username='$username'");
$do_user_check = mysql_num_rows($user_check);
//Ahora chequeamos si el email no este en uso
$email_check = mysql_query("SELECT email FROM users WHERE email='$email'");
$do_email_check = mysql_num_rows($email_check);
//Mostramos errores
if($do_user_check > 0){
die("Ese Username ya esta registrado!<br>");
}
if($do_email_check > 0){
die("Ese email ya esta registrado!");
}
//chequeamos que los passwords sean iguales
if($password != $pass_conf){
die("Los password digitados son diferentes!");
}
//Si todo esta bien, se agrega el usuario
$insert = mysql_query("INSERT INTO users (username, password, email) VALUES ('$username', '$password', '$email')");
if(!$insert){
die("Hay un problema: ".mysql_error());
}
echo $username.", ha sido registrado. muchas gracias!<br><a href=?act=login>Ingresar</a> | <a href=index.php>Index</a>";
}
switch($act){
default;
register_form();
break;
case "register";
register();
break;
}
?>
Thank you for your help
Regards,