One Page Login System

evil_stevo · December 2, 2010

My main pages looks like this...

<?php

include "header.php";

CONTENT

include "footer.php";

?>

On the header will be my login script so on every page the script will be there so they can log in from anywhere on the site. Also, I want it all done on one page instead of being directed somewhere else. This is the code below.

<?php

session_start();

$message = ""; //error message needs to be blank

$loginstatus = ""; //error message needs to be blank

//if $_POST "username" and "password" exist, check for consistency.

if (isset($_POST['username'])&&($_POST['password']))

{

include 'connect.php'; //connect

$username = mysql_real_escape_string($_POST['username']); //set variables from session

$password = mysql_real_escape_string($_POST['password']); //set variables from session

//remove slashes and HTML

$username = stripslashes($username);

$password = stripslashes($password);

$username = strip_tags($username);

$password = strip_tags($password);

$password = md5($password); //md5 encryption

$query = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'"); //checking if row exists that has $username and $password together.

$num = mysql_num_rows($query); //number of rows. if not equal to one login will fail.

if($num==1)

{

$_SESSION['username'] = $username; //store session data

$message = "$username, you are logged in!";

}

else

{

$message = "<font color='red'>Wrong Username or Password. Please try again.</font>";

}

//if $_SESSION "username" and "password" exist, check for consistency.

if (isset($_SESSION['username']))

{

$username = $_SESSION['username'];

$loginstatus = "

<tr>

<td align='right'><b>$message</b> <a href='logout.php'>[logout]</a></td>

</tr>

</table>

";

}

else

{

$loginstatus = "

<b>$message</b>

<tr>

<td><b>Username: </td>

<td> <b>Password: </td>

</tr>

</table>

</form>

";

}

echo $loginstatus;

?>

I have two questions...

#1 How can I direct my page when entering the password to the current page the user is on? (look at CURRENTPAGE.php in the code for reference)

#2 Security is obviously an issue at all times. How does my security look? What can I do to make this login script more secure?

Thanks so much for all of those who help out. I'll be watching this forum all day everyday.

laffin · December 2, 2010

This line

if (isset($_POST['username'])&&($_POST['password']))

should be

if (isset($_POST['username']) && isset($_POST['password']))

both username & password u have allowed every character. Bad idea, use a whitelist of characters that are allowed. this can be done easily with preg_match

if(!preg_match('@^[A-Za-z][A-Za-Z0-9_\.]{2,19}$@',$username))
(
    Echo "Invalid Username";
}

The preg string

^ Start of string

[A-Za-z] First character is alpha

[A-Za-Z0-9_\.]{2,19} Characters must be alpha, numerc, _ or . (period) min length 2, max length 19

$ End of string

So this allows usernames a length of 3-20 characters, and restricts them to a certain format, and allowable characters

Password, I would do the same, except allow more characters.

This i would do at signup as well. doing whitelists, u don't need to use stripslashes/striptags/htmlspecialchars or wut have u. usernames should have a format to follow and abide by

Its very hard to read your code, when you don't use the forums [code] tags.

evil_stevo · December 2, 2010

Thanks! WOW! I got a lot of work to do! Ok, so I'll whitelist everything I need to and do that at sign up as well. Sorry, I didn't realize the ability of the

 tag. Won't happen again!

Sign In

One Page Login System

Recommended Posts

evil_stevo

Link to comment

Share on other sites

laffin

Link to comment

Share on other sites

evil_stevo

Link to comment

Share on other sites

Archived

Browse

Activity

Important Information