smc Posted May 20, 2008 Share Posted May 20, 2008 Hello everyone, In an attempt to make a more streamlined login script I created a function for it. I access it through using this: (Note: The dataEncode function does addslashes( htmlentities( INPUT ) ); ) <?php $loginData = array( "username" => dataEncode( $_POST['xtcms_login_username'] ), "password" => md5( $_POST['xtcms_login_password'] ) ); authUser( $loginData['username'], $loginData['password'], 1 ); ?> The authUser function: <?php function authUser( $user, $pass, $requiredLevel ){ global $xtcms_prefix, $lang; dbConnect(); $sql = mysql_query( "SELECT * FROM " . $xtcms_prefix . "users WHERE username = '$user' AND password = '$pass'" ) or die( errorReturn( mysql_error() ) ); if( mysql_num_rows( $sql ) > 1 || mysql_num_rows( $sql ) < 0 ){ errorReturn( $lang[XTCMS_LANG]['unknown_error'] ); }elseif( mysql_num_rows( $sql ) == 0 ){ errorReturn( $lang[XTCMS_LANG]['incorrect_credentials'] ); } $result = mysql_fetch_array( $sql ); mysql_close(); if( $result['rank'] == 0 ){ errorReturn( $lang[XTCMS_LANG]['user_not_active'] ); }elseif( $result['rank'] > $requiredLevel ){ authReturn( FALSE ); }else{ authReturn( TRUE ); } } ?> And the authReturn function <?php function authReturn( $result, $redirect = '../index.php' ){ global $lang; if( $result == TRUE ){ $loginResult = $lang[XTCMS_LANG]['auth_success']; }else{ $loginResult = $lang[XTCMS_LANG]['auth_failure']; } require( XTCMS_TEMPLATE_PATH . "/global_header.tpl" ); require( XTCMS_TEMPLATE_PATH . "/auth_result.tpl" ); require( XTCMS_TEMPLATE_PATH . "/global_footer.tpl" ); die; } ?> Is this secure? Or have I left myself open to injection/xss? Link to comment https://forums.phpfreaks.com/topic/106404-login-script-secure/ Share on other sites More sharing options...
moon 111 Posted May 20, 2008 Share Posted May 20, 2008 Oops! Didn't see dataEncode. Never mind... Link to comment https://forums.phpfreaks.com/topic/106404-login-script-secure/#findComment-545539 Share on other sites More sharing options...
Recommended Posts