Is this php login secure?

[ben2k8]

Hi, i am new to this forum, but have been using php for awhile.

 

I am trying to create a admin control panel, so far i have a hardcoded password which for now is just "enter", and have a session time limit off 3 hours.

I have made the script create a php session with a random 64 character string, and made the script add a record to a mysql DB of current logins that logs the same 64 char string as the session, the current time plus 3 hours, and there IP address.

 

I am planning to add a logout function that deletes the database record and php session, and make the session time limit extend everytime a new page is loaded. But before I do I would be grateful for someone to tell me how secure it is?

Thanks in advance

 

$action = $_GET['action'];

//If no action is specified do this.
if ($action==""){
echo '<br /><table width="300" border="0" align="center" cellspacing="0" cellpadding="0"><tr><td><form id="form1" name="form1" method="post" action="?action=login">Password: <input type="password" name="pwd" /><input type="submit" name="Submit" value="Log in" /></form></td></tr></table>';};

//Create secure login 
if ($action=="login"){
if ($_POST[pwd] !== enter){echo '<div align="center" class ="msgfont"><br />Login Failed<br /></div>';};
if ($_POST[pwd] == enter){
echo '<div align="center" class ="msgfont">Secure Session Activated </div>';

session_start();//Create session to remain logged in

$seconds = mktime(second);//Get time in seconds
$min = floor($seconds/60);//Get time in seconds
$logouttime = $min + 180;//Add 3 hours to current time and set is at the session timeout

$ip=$_SERVER['REMOTE_ADDR'];//Get ip address
$md5_1= md5(mt_rand(0,100000));//Create a random 32 character string
$md5_2= md5(mt_rand(0,100000));//Create a random 32 character string
$valicode = "$md5_1$md5_2";//Add both random strings together to get a 64 character string
//Store session data
$_SESSION['valicode']="$valicode";

//Add IP address, session timeout and 64 character string to DB
mysql_connect("$server", "$username", "$password") or die(mysql_error());
mysql_select_db("airgunshoo") or die(mysql_error());
$sql = "INSERT INTO airgunshoo. secure_user (s_user_ip, s_user_mins, s_user_valicode) VALUES ('$ip', '$logouttime' , '$valicode');";
    mysql_query($sql);
mysql_close();

}	
}

if ($action=="nextpage"){//Check login details
session_start();
//Variables to check for in database
$ip_c = $_SERVER['REMOTE_ADDR'];//Assign IP address to variable
$valicode_c = $_SESSION['valicode'];//Retrieve 64 long string from session
$min_c = floor($seconds/60);//Get current time in seconds

//Check for the 3 variables in DB
mysql_connect("$server", "$username", "$password") or die(mysql_error());
mysql_select_db("airgunshoo") or die(mysql_error());
$user_valid_check = mysql_result(mysql_query("SELECT COUNT(*) as Num FROM secure_user WHERE s_user_ip='$ip_c' AND s_user_mins =<'$min_c' AND s_user_valicode='$valicode_c'"),0);
mysql_close();

if ($user_valid_check== "1"){echo 'Valid User, You have remained logged in';}
if ($user_valid_check!== "1"){echo 'Unvalid user'; }
}

[nloding]

Not super secure, no.  Read this:

 

http://www.evolt.org/PHP-Login-System-with-Admin-Features

 

Helped me a lot.  You should hash your password in a database (MD5(), and salting is good [Google it ]) and then compare to what's been posted in the form.  Nothing is 100% secure, but you can always do things better.