stevehossy Posted March 2, 2009 Share Posted March 2, 2009 Can someone please tell me if this is secure. Someone keeps logging into my admin account... <?php session_start(); if ($_POST['username'] == "" || $_POST['password'] == "") { die("<h3>Error</h3> You did not fill in the login form!<br> <a href=login.php>> Back</a>"); } include "mysql.php"; global $c; $uq=mysql_query("SELECT userid FROM users WHERE login_name='{$_POST['username']}' AND `userpass`='{$_POST['password']}'",$c) or die(mysql_error()); if (mysql_num_rows($uq)==0) { die("<h3> Error</h3> Invalid username or password!<br> <a href=login.php>> Back</a>"); } else { $_SESSION['loggedin']=1; $mem=mysql_fetch_array($uq); $_SESSION['userid']=$mem['userid']; header("Location: loggedin.php"); } ?> Link to comment https://forums.phpfreaks.com/topic/147651-secure-login/ Share on other sites More sharing options...
premiso Posted March 2, 2009 Share Posted March 2, 2009 The only thing I can see is that it is prone to SQL injection, and your password is textual and not hashed or encrypted. If magic_quotes is on that may protect you to a point, but you should really turn it off and use mysql_real_escape_string on data before testing them against a database. Also make sure that you always call $_SESSION['loggedin'] and not just $loggedin (given that register_globals is on which it should not be). Other than that check your password if it is very weak (something like 'password') I would suggest beefing it up. Link to comment https://forums.phpfreaks.com/topic/147651-secure-login/#findComment-775114 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.