smc Posted May 20, 2008 Share Posted May 20, 2008 Hello everyone, In an attempt to make a more streamlined login script I created a function for it. I access it through using this: (Note: The dataEncode function does addslashes( htmlentities( INPUT ) ); ) <?php $loginData = array( "username" => dataEncode( $_POST['xtcms_login_username'] ), "password" => md5( $_POST['xtcms_login_password'] ) ); authUser( $loginData['username'], $loginData['password'], 1 ); ?> The authUser function: <?php function authUser( $user, $pass, $requiredLevel ){ global $xtcms_prefix, $lang; dbConnect(); $sql = mysql_query( "SELECT * FROM " . $xtcms_prefix . "users WHERE username = '$user' AND password = '$pass'" ) or die( errorReturn( mysql_error() ) ); if( mysql_num_rows( $sql ) > 1 || mysql_num_rows( $sql ) < 0 ){ errorReturn( $lang[XTCMS_LANG]['unknown_error'] ); }elseif( mysql_num_rows( $sql ) == 0 ){ errorReturn( $lang[XTCMS_LANG]['incorrect_credentials'] ); } $result = mysql_fetch_array( $sql ); mysql_close(); if( $result['rank'] == 0 ){ errorReturn( $lang[XTCMS_LANG]['user_not_active'] ); }elseif( $result['rank'] > $requiredLevel ){ authReturn( FALSE ); }else{ authReturn( TRUE ); } } ?> And the authReturn function <?php function authReturn( $result, $redirect = '../index.php' ){ global $lang; if( $result == TRUE ){ $loginResult = $lang[XTCMS_LANG]['auth_success']; }else{ $loginResult = $lang[XTCMS_LANG]['auth_failure']; } require( XTCMS_TEMPLATE_PATH . "/global_header.tpl" ); require( XTCMS_TEMPLATE_PATH . "/auth_result.tpl" ); require( XTCMS_TEMPLATE_PATH . "/global_footer.tpl" ); die; } ?> Is this secure? Or have I left myself open to injection/xss? Link to comment Share on other sites More sharing options...
moon 111 Posted May 20, 2008 Share Posted May 20, 2008 Oops! Didn't see dataEncode. Never mind... Link to comment Share on other sites More sharing options...
Recommended Posts