Jump to content

Is my Code Secure? How to protect it?

whiteboikyle

By whiteboikyle
in PHP Coding Help

 Share

Recommended Posts

whiteboikyle Regular Member

whiteboikyle

Posted
Posted

login.php

<?php
session_start();
if(session_is_registered(error))
{
echo ($_SESSION['error']);
session_unregister(error);
session_destroy();
}
?>
<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form name="form1" method="post" action="process.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="0" bgcolor="#FFFFFF">
<tr>
<td colspan="3"><strong>Member Login </strong></td>
</tr>
<tr>
<td width="68"><div align="right">Username</div></td>
<td width="3">:</td>
<td width="205"><input name="myusername" type="text" id="myusername"></td>
</tr>
<tr>
<td><div align="right">Password</div></td>
<td>:</td>
<td><input name="mypassword" type="password" id="mypassword"></td>
</tr>
<tr>
<td><input name="login" type="hidden" value="1"></td>
<td> </td>
<td><input type="submit" name="Submit" value="Login"></td>
</tr>
<tr>
  <td colspan="3"><div align="center"><a href="register.php">Register Account? </a></div></td>
  </tr>
</table>
</td>
</form>
</tr>
</table>

 

register.php

<?php
session_start();
if(session_is_registered(welcome))
{
echo($_SESSION['welcome']);
session_unregister(welcome);
session_destroy();
}
else
{
?>
<table width="325" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form name="form2" method="post" action="process.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="0" bgcolor="#FFFFFF">
<tr>
<td colspan="4"><strong>Member Register</strong></td>
</tr>
<tr>
<td width="61" height="28"><div align="right">Username</div></td>
<td width="3">:</td>
<td width="144"><input name="myusername" type="text" id="myusername"></td>
<td width="91">
<?php
if(session_is_registered(username_taken))
{
echo ($_SESSION['username_taken']);
session_unregister(username_taken);
session_destroy();
}
?></td>
</tr>
<tr>
<td><div align="right">Password</div></td>
<td>:</td>
<td><input name="mypassword" type="password" id="mypassword"></td>
<td rowspan="2">
<?php
if(session_is_registered(password_same))
{
echo ($_SESSION['password_same']);
session_unregister(password_same);
session_destroy();
}
elseif(session_is_registered(password_less_then_5))
{
echo ($_SESSION['password_less_then_5']);
session_unregister(password_less_then_5);
session_destroy();
}
?></td>
</tr>
<tr>
  <td><div align="right">Password</div></td>
  <td>:</td>
  <td><input name="mypassword2" type="password" id="mypassword2"></td>
  </tr>
<tr>
  <td><div align="right">Email</div></td>
  <td>:</td>
  <td><input name="email" type="text" id="email"></td>
  <td>
  <font color="#FF0000" size="2">Optional</font>
</td>
</tr>
<tr>
  <td><input name="register" type="hidden" value="1"></td>
  <td> </td>
  <td colspan="2"><input type="submit" name="Submit" value="Login"></td>
  </tr>
</table>
</td>
</form>
</tr>
</table>
<?php
}
?>

 

process.php

<?php
include("config.php");
class Process
{
function Process($connection){
	if(isset($_POST['login'])){
	$this->login();
	}
	elseif(isset($_POST['register'])){
	$this->register();
	}
	else{
	header("Location: login.php");
	}
}
//Member Login
function login(){
global $config;
	ob_start();

	// Define $myusername and $mypassword
	$myusername=$_POST['myusername'];
	$mypassword=$_POST['mypassword'];

	// To protect MySQL injection (more detail about MySQL injection)
	$myusername = stripslashes($myusername);
	$mypassword = stripslashes($mypassword);
	$myusername = mysql_real_escape_string($myusername);
	$mypassword = mysql_real_escape_string($mypassword);
	$encrypt_password = md5($mypassword);
	$query = $config->query("SELECT * FROM members WHERE username='".$myusername."' and password='".$encrypt_password."'");

	// Mysql_num_row is counting table row
	$count=mysql_num_rows($query);
	// If result matched $myusername and $mypassword, table row must be 1 row

	if($count==1){
	// Register $myusername, $mypassword and redirect to file "login_success.php"
	session_register("myusername");
	session_register("mypassword");
	header("location:main.php");
	}
	else {
	session_register(error);
	$_SESSION['error'] = "<center><font color='red' size='4'>Wrong Username or Password</font></center>";
	header("location:login.php");
	}

	ob_end_flush();
}

//Register_Submit
function register(){
global $config;

	//Defines All The Users Inputs
	$myusername=$_POST['myusername'];
	$mypassword=$_POST['mypassword'];	
	$mypassword2=$_POST['mypassword2'];
	$email=$_POST['email'];
	$passwordcount=$_POST['mypassword'];

	//Stop SQL Injection
	$myusername = stripslashes($myusername);
	$mypassword = stripslashes($mypassword);
	$mypassword2 = stripslashes($mypassword2);
	$email = stripslashes($email);
	$myusername = mysql_real_escape_string($myusername);
	$mypassword = mysql_real_escape_string($mypassword);
	$mypassword2 = mysql_real_escape_string($mypassword2);
	$email = mysql_real_escape_string($email);

	//encrypt password variable
	$encrypt_password = md5($mypassword);

	$query = $config->query("SELECT * FROM members WHERE username='".$myusername."'");

	// Mysql_num_row is counting table row
	$count=mysql_num_rows($query);
	// If result matches $myusername then username is taken

	if($count===1){
	// Send error back to the register page if count = 1
	session_register(username_taken);
	$_SESSION['username_taken'] = "<center><font color='red' size='1'>The Username You Chose Is Already In Use</font></center>";
	header("location:register.php");
	}	
	elseif($mypassword != $mypassword2)
	{
	session_register(password_same);
	$_SESSION['password_same'] = "<center><font color='red' size='1'>Passwords Dont Match</font></center>";
	header("location:register.php");
	}
	elseif(strlen($mypassword) < "5")
	{
	session_register(password_less_then_5);
	$_SESSION['password_less_then_5'] = "<center><font color='red' size='1'>Password Must be Greater then 4 Charcters</font></center>";
	header("location:register.php");
	}
	else
	{
	$query = $config->query("INSERT INTO members (id, username, password, email) VALUES (NULL, '$myusername', '$encrypt_password', '$email')");
	session_register(welcome_screen);
	$_SESSION['welcome'] = 
	"Welcome, You are now a member of Corpal Uploads.<br>
	Reccommend us to your friends.<br>
	We are a free Upload site and WILL STAY FREE!<br>
	Thanks,<br>
	Whitey.<br>
	<a href='login.php'>Continue</a>";
	header("location: register.php");
	}

}
};
$process = new Process($connection);
?>

 

logout.php

<?
session_start();
session_destroy();
session_unregister(myusername);
echo("<center><font size='4'>You are now logged out</font>");
echo("<br><a href='login.php'>Now redirecting you to home page or click here if you do not wish to wait.</a></center>");
echo("<META HTTP-EQUIV='refresh' CONTENT='5;login.php'>");

?>

 

 

give me all suggestions i need. Its just going to be used for an upload script

Link to comment
https://forums.phpfreaks.com/topic/108955-is-my-code-secure-how-to-protect-it/
Share on other sites
Daniel0 Advanced Member

Daniel0

Posted
Posted

You should do quite fine. There is no reason why you would store the password in the sessions... What are you going to use that for?

 

Also, the lines like this: 

session_unregister(error);

and similar won't work. It has to be 

session_unregister('error');

but that's useless when you after that call session_destroy() which will unregister all sessions.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.