user login help ..

[imarockstar]

I have a login system in place .. it works fine, but I am not sure its that secure. I am using sessions to display the user info and db info throughout the site.

 

here is my code .. any improvement suggestions would be rad ..

 

 

this is the login page

 

<?php

if ($_SESSION['username'] == 1) { // User is already logged in.
        header("Location: user_home.php"); // Goes to main page.
        exit(); // Stops the rest of the script.
} ?>

<div id='box'>
<form method="post" action="scripts/user_login_go.php">
        
<div class=groupleft>
Username <br>
<input type=text name=username>
</div>			


<div class=groupright>
Password <br>
<input type=password name=pass1>
</div>			

<br class=clear>



<input type=submit name=submit value=submit>
</div>			

 

 

here is the script that logs them in

 

<?php





			$username = ($_POST['username']);
                $pass1 = ($_POST['pass1']); // Encrypts the password.
               
                $q = mysql_query("SELECT * FROM users WHERE username = '$username' AND pass1 = '$pass1'") or die (mysql_error()); // mySQL query
                $r = mysql_num_rows($q); // Checks to see if anything is in the db.
               
                if ($r == 1) { // There is something in the db. The username/password match up.
                
                
                
                $result = mysql_query("select * from users WHERE username = '$username' ");
                
                //session_start();
                //$_SESSION['username'] = $recid;
                
//grab all the content
while($r=mysql_fetch_array($result))
{	
   //the format is $variable = $r["nameofmysqlcolumn"];
   //modify these to match your mysql table columns
  
   $recid =$r["recid"];
   $rights =$r["rights"];
   
   session_start();
   $_SESSION['recid'] = $recid;
   $_SESSION['username'] = $username;
   $_SESSION['rights'] = $rights;
   header("Location: ../user_home.php"); // Goes to main page.
}
                
                
                                        
                        
                        //header("Location: resume"); // Goes to main page.
                        //echo "your logged in";
                        //echo "Pageviews = ". $_SESSION['username'];
                        
                        exit(); // Stops the rest of the script.
                        
                        
                        
                } else { // Invalid username/password.
                        exit("Incorrect username/password!"); // Stops the script with an error message.
                }





?>

 

 

 

this is whats on all the pages that the user can see .. its the head section of the site ...

 

<?php

include("scripts/connect.php");

session_start();
if (isset($_SESSION['recid'])) {
//echo "logged in";
}

else {
header("Location: admin_login.php");
}





$pgTitle = "Technology Staffing Services";
$pgMetaDescription = "Technology Staffing Services";
$pgMetaKeywords = "Technology Staffing Services";
$pgHead = "";
$style = 2;

include("includes/head.php");


?>

 

 

 

 

[Bendude14]

you validate the user input better before you query your database

 

these two lines

 

$username = ($_POST['username']);

$pass1 = ($_POST['pass1']); // Encrypts the password

 

look at php.net/mysql_real_escape_string

 

 

[imarockstar]

Ok I looked at that .. but its all a little confusing .. lol ..

[revraz]

You need to strip out any harmful data that could pose a risk to your Database.

[imarockstar]

ok kool ..

 

I will try and figure it out ... from the link you gave me ...

 

thanks

[simonpatp]

you might want to encrypt the passwords themselves:

 

$sql = "SELECT * FROM users WHERE username = '".mysql_real_escape_string($username)."' LIMIT 1;"; //you can only have one user so limit it
    $results = mysql_query($sql) or die("MySQL Error");
    if (mysql_num_rows($results) != 1)
        //code to handle no user
    $Userarray = mysql_fetch_array($results);
    $salt = substr($arr['Pword'], 0, 2); //get the encryption salt
    $saltedpword = crypt($password, $salt);//encrypt user input
    if ($Userarray['password'] == $saltedpword)//if the encrypted Password from the DB is the same as the encrypted Userinput
    {
        mysql_free_result($res);
        mysql_close($hand);
        //code log in
    }
    else
    {
        mysql_free_result($res);
        mysql_close($hand);
        //code to retry
    }

 

you would also have to create a script to encrypt the passwords in the first place like this

 

$EncryptedPWord= crypt($_REQUEST['word']);
echo $EncryptedPWord;

or something of that sort.

see http://us.php.net/manual/en/function.crypt.php for more info

hope i was some help

[Bendude14]

you could also look at

 

http://au2.php.net/md5

 

and

 

http://au2.php.net/manual/en/function.sha1.php

 

If you want it to be more secure still you can use a salt before hashing the password.

 

If you don't want to use another column in the DB to save the salt i sometimes just use there username.

 

here is an example of the mysql_real_escape_string

 

<?php
if(get_magic_quotes_gpc()) { // check to see if magic quotes are enabled
            $username  = stripslashes($_POST['username']);  // if so strip slashes so we don't escape everything twice
} else { 

            $username  = $_POST['username'];

}

$username = mysql_real_escape_string(trim($username)); //trim white space then escape data ready for mysql query
?>

 

 

Ben