stevehossy Posted March 2, 2009 Share Posted March 2, 2009 Can someone please tell me if this is secure. Someone keeps logging into my admin account... <?php session_start(); if ($_POST['username'] == "" || $_POST['password'] == "") { die("<h3>Error</h3> You did not fill in the login form!<br> <a href=login.php>> Back</a>"); } include "mysql.php"; global $c; $uq=mysql_query("SELECT userid FROM users WHERE login_name='{$_POST['username']}' AND `userpass`='{$_POST['password']}'",$c) or die(mysql_error()); if (mysql_num_rows($uq)==0) { die("<h3> Error</h3> Invalid username or password!<br> <a href=login.php>> Back</a>"); } else { $_SESSION['loggedin']=1; $mem=mysql_fetch_array($uq); $_SESSION['userid']=$mem['userid']; header("Location: loggedin.php"); } ?> Quote Link to comment https://forums.phpfreaks.com/topic/147651-secure-login/ Share on other sites More sharing options...
premiso Posted March 2, 2009 Share Posted March 2, 2009 The only thing I can see is that it is prone to SQL injection, and your password is textual and not hashed or encrypted. If magic_quotes is on that may protect you to a point, but you should really turn it off and use mysql_real_escape_string on data before testing them against a database. Also make sure that you always call $_SESSION['loggedin'] and not just $loggedin (given that register_globals is on which it should not be). Other than that check your password if it is very weak (something like 'password') I would suggest beefing it up. Quote Link to comment https://forums.phpfreaks.com/topic/147651-secure-login/#findComment-775114 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.