Jump to content

Do these look secure?

jamesbrauman

By jamesbrauman
in PHP Coding Help

 Share

Recommended Posts

jamesbrauman Member

jamesbrauman

Posted
Posted

These are my functions for logging in a user, logging out a user, checking if a user is logged in and checking the 'power level' of a user:

//Logs a user in.
function user_login($username, $md5password) {
	setcookie("username", $username, strtotime("+90 days"), "/");
	setcookie("md5password", $md5password, strtotime("+90 days"), "/");
}
//Logs a user out.
function user_logout() {
	setcookie("username", "", strtotime("+90 days"), "/");
	setcookie("md5password", "", strtotime("+90 days"), "/");
	$_COOKIE['username'] = "";
	$_COOKIE['md5password'] = "";
	setcookie("username", "", 1, "/");
	setcookie("md5password", "", 1, "/");
}
//Returns true if a user is logged in.
function user_loggedin() {
	$username = clean_string($_COOKIE['username']);
	$password = clean_string($_COOKIE['md5password']);
	if (empty($username) || empty($password))
		return false;
	$conn = mysql_connect("localhost", "****", "****");
	mysql_select_db("redbox_main", $conn);
	if (mysql_num_rows(mysql_query("SELECT * FROM members WHERE username='$username' AND md5password='$password'")) > 0) {
		//They are logged in.
		return true;
	} else {
		//They are not logged in.
		return false;
	}
}
//Returns the username of the logged in user.
function user_username() {
if (isset($_COOKIE['username']))
	return $_COOKIE['username'];
return "";
}
//returns the email of the logged in user
function user_email() {
	if (isset($_COOKIE['username']) && isset($_COOKIE['md5password'])) {
		$username = clean_string($_COOKIE['username']);
		$md5password = clean_string($_COOKIE['md5password']);
		if (!empty($username) && !empty($md5password)) {
			$current_email = mysql_result(mysql_query("SELECT email FROM members WHERE username='$username' AND md5password='$md5password'"), 0); 
			return $current_email;
		}
	}
	return "";
}

//returns the power level of the logged in user
function user_level() {
	if (isset($_COOKIE['username']) && isset($_COOKIE['md5password'])) {
		$username = clean_string($_COOKIE['username']);
		$md5password = clean_string($_COOKIE['md5password']);
		if (!empty($username) && !empty($md5password)) {
			$current_level= (int) mysql_result(mysql_query("SELECT level FROM members WHERE username='$username' AND md5password='$md5password'"), 0); 
			return $current_level;
		}
	}
	return "";
}

 

Do they look secure (i.e no 'hackers' would easily be able to break them)?

 

Thanks.

Link to comment
https://forums.phpfreaks.com/topic/124896-do-these-look-secure/
Share on other sites
JonnoTheDev Regular Member

JonnoTheDev

Posted
Posted

Why would you save the username & password in a cookie file (even if it is md5 encrypted)?

Don't you think if somebody was to grab the cookie data they could gain access via your login page. It is far better to store the user ID in the cookie file or when they login create a unique key for the user that is stored in the cookie to identify them to the site. This can expire and a new key created on each login.

Link to comment
https://forums.phpfreaks.com/topic/124896-do-these-look-secure/#findComment-645425
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.