One Page Login System

[evil_stevo]

My main pages looks like this...

 

<?php

include "header.php";

 

CONTENT

 

include "footer.php";

?>

 

On the header will be my login script so on every page the script will be there so they can log in from anywhere on the site. Also, I want it all done on one page instead of being directed somewhere else. This is the code below.

 

<?php

session_start();

 

$message = ""; //error message needs to be blank

$loginstatus = ""; //error message needs to be blank

 

//if $_POST "username" and "password" exist, check for consistency.

if (isset($_POST['username'])&&($_POST['password']))

{

include 'connect.php'; //connect

$username = mysql_real_escape_string($_POST['username']); //set variables from session

$password = mysql_real_escape_string($_POST['password']); //set variables from session

 

//remove slashes and HTML

$username = stripslashes($username);

$password = stripslashes($password);

$username = strip_tags($username);

$password = strip_tags($password);

 

$password = md5($password); //md5 encryption

 

$query = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'"); //checking if row exists that has $username and $password together.

$num = mysql_num_rows($query); //number of rows. if not equal to one login will fail.

 

if($num==1)

{

$_SESSION['username'] = $username; //store session data

$message = "$username, you are logged in!";

}

else

{

$message = "<font color='red'>Wrong Username or Password. Please try again.</font>";

}

}

 

//if $_SESSION "username" and "password" exist, check for consistency.

if (isset($_SESSION['username']))

{

$username = $_SESSION['username'];

$loginstatus = "

<table cellspacing='0' cellpadding='0'>

<tr>

<td align='right'><b>$message</b> <a href='logout.php'>[logout]</a></td>

</tr>

</table>

";

}

else

{

$loginstatus = "

<b>$message</b>

<table cellspacing='0' cellpadding='0'>

<form action='CURRENTPAGE.php' method='post'>

<tr>

<td><b>Username: </td>

<td><input type='text' name='username' class='inputbox'></td>

<td>  <b>Password: </td>

<td><input type='password' name='password' class='inputbox'></td>

<td>  <input type='submit' value='Log In' class='submitbutton'></td>

</tr>

</table>

</form>

";

}

 

echo $loginstatus;

 

?>

 

I have two questions...

 

#1 How can I direct my page when entering the password to the current page the user is on? (look at CURRENTPAGE.php in the code for reference)

 

#2 Security is obviously an issue at all times. How does my security look? What can I do to make this login script more secure?

 

Thanks so much for all of those who help out. I'll be watching this forum all day everyday.

[laffin]

This line

if (isset($_POST['username'])&&($_POST['password']))

should be

if (isset($_POST['username']) && isset($_POST['password']))

 

both username & password u have allowed every character. Bad idea, use a whitelist of characters that are allowed. this can be done easily with preg_match

if(!preg_match('@^[A-Za-z][A-Za-Z0-9_\.]{2,19}$@',$username))
(
    Echo "Invalid Username";
}

 

The preg string

^ Start of string

[A-Za-z] First character is alpha

[A-Za-Z0-9_\.]{2,19} Characters must be alpha, numerc, _ or . (period) min length 2, max length 19

$ End of string

So this allows usernames a length of 3-20 characters, and restricts them to a certain format, and allowable characters

 

Password, I would do the same, except allow more characters.

 

This i would do at signup as well. doing whitelists, u don't need to use stripslashes/striptags/htmlspecialchars or wut have u. usernames should have a format to follow and abide by

 

Its very hard to read your code, when you don't use the forums [code] tags.

[evil_stevo]

Thanks! WOW! I got a lot of work to do! Ok, so I'll whitelist everything I need to and do that at sign up as well. Sorry, I didn't realize the ability of the

 tag. Won't happen again!