Jump to content

One Page Login System

evil_stevo

By evil_stevo
in PHP Coding Help

 Share

Recommended Posts

evil_stevo Newbie

evil_stevo

Posted
Posted

This is my one page log in system. Using this on the header so guests can log in on ANY page. Let me know what you think needs improving for security. I'm also wondering if putting the include "disconnect.php"; where I have is correct. Thanks!

 

<?php
session_start();

$message = ""; //error message needs to be blank
$loginstatus = ""; //error message needs to be blank

//if $_POST "username" and "password" exist, check for consistency.
if (isset($_POST['username'])&&($_POST['password']))
{
include 'connect.php'; //connect
$username = mysql_real_escape_string($_POST['username']); //set variables from session
$password = mysql_real_escape_string($_POST['password']); //set variables from session

//remove slashes and HTML
$username = stripslashes($username);
$password = stripslashes($password);
$username = strip_tags($username);
$password = strip_tags($password);

$password = md5($password); //md5 encryption

$query = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'"); //checking if row exists that has $username and $password together.
$num = mysql_num_rows($query); //number of rows. if not equal to one login will fail.

if($num==1)
{
$_SESSION['username'] = $username; //store session data
$message = "$username, you are logged in!";
include "disconnect.php";
}
else
{
$message = "<font color='red'>Wrong Username or Password. Please try again.</font>";
}
}

//if $_SESSION "username" and "password" exist, check for consistency.
if (isset($_SESSION['username']))
{
$username = $_SESSION['username'];
$loginstatus = "
<table cellspacing='0' cellpadding='0'>
<tr>
<td align='right'><b>$message</b> <a href='logout.php'>[logout]</a></td>
</tr>
</table>
";
}
else
{
$loginstatus = "
<b>$message</b>
<table cellspacing='0' cellpadding='0'>
<form action='index.php' method='post'>
<tr>
<td><b>Username: </td>
<td><input type='text' name='username' class='inputbox'></td>
<td>   <b>Password: </td>
<td><input type='password' name='password' class='inputbox'></td>
<td>   <input type='submit' value='Log In' class='submitbutton'></td>
</tr>
</table>
</form>
";
}

echo $loginstatus;
?>

Link to comment
https://forums.phpfreaks.com/topic/220853-one-page-login-system/
Share on other sites
Pikachu2000 Prolific Member

Pikachu2000

Posted
Posted

You should not use stripslashes() unconditionally. You should only use stripslashes() if magic_quotes_gpc() is on. Moreover, using it after mysql_real_escape_string() actually undoes what mysql_real_escape_string() does, rendering it useless.

 

There is no need to do any sanitizing of a value that will be run through a hashing algorithm before being inserted in the database, such as the password.

 

strip_tags() is unnecessary for inserting data into a database; it should be used immediately prior to displaying the data.

 

So with that in mind, here's what that part should look like:

session_start();

$message = ""; //error message needs to be blank
$loginstatus = ""; //error message needs to be blank

//if $_POST "username" and "password" exist, check for consistency.
if( isset($_POST['username'])&&($_POST['password']) ) {
require_once 'connect.php'; //connect

if( get_magic_quotes_gpc() ) {
	$username = mysql_real_escape_string(stripslashes($_POST['username']));
} else {
	$username = mysql_real_escape_string($_POST['username']); //set variables from session
}

$password = md5($password); //md5 encryption

$query = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'"); //checking if row exists that has $username and $password together.
$num = mysql_num_rows($query); //number of rows. if not equal to one login will fail.

if( $num == 1 ) {
	$_SESSION['username'] = $username; //store session data
	$message = "$username, you are logged in!";
	include "disconnect.php";
} else {
	$message = "<font color='red'>Wrong Username or Password. Please try again.</font>";
}
}

Pikachu2000 Prolific Member

Pikachu2000

Posted
Posted

I'd say require_once() it. Since the script is essentially useless without the database query, it needs to be in the script, but using _once will allow it to be ignored if some other script has already successfully included it.

evil_stevo Newbie

evil_stevo

Posted
  • Author
Posted

Oh, does password need anything done to it other than md5?

 

Maybe something like this??

<?php
session_start(); //start session

//required
$message = "";
$loginstatus = "";

//if $_POST "username" and "password" exist, check for consistency.
if (isset($_POST['username'])&&($_POST['password']))
{
require_once 'connect.php'; //connect

if(get_magic_quotes_gpc())
{
$username = mysql_real_escape_string(stripslashes($_POST['username'])); //set variables from session
$password = mysql_real_escape_string(stripslashes($_POST['password'])); //set variables from session
}
else
{
$username = mysql_real_escape_string($_POST['username']); //set variables from session
$password = mysql_real_escape_string(($_POST['password'])); //set variables from session
}

$password = md5($password); //md5 encryption

$query = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'"); //checking if row exists that has $username and $password together.
$num = mysql_num_rows($query); //number of rows. if not equal to one login will fail.

if($num==1)
{
$_SESSION['username'] = $username; //store session data
$message = "$username, you are logged in!";
include "disconnect.php";
}
else
{
$message = "<font color='red'>Wrong Username or Password. Please try again.</font>";
}
}

 

Also, let's say above is my header.php and below is my index.php...

 

<?php include "head.php"; ?>

<div style="margin:5px">
Here is my page!

<?php
require "connect.php";
CODE CODE CODE
require "disconnect.php";
?>
</div>

<?php include "foot.php" ?>

 

Will this conflict or be conflicted by the the require_once code in the header.php? Is it bad to have multiple connections to the database as long as there disconnected?

Pikachu2000 Prolific Member

Pikachu2000

Posted
Posted

From a sql injection standpoint the password field is fine with just md5(), since all you can get back from it is a hexadecimal number.

 

I tend to always use require_once() in situations when it's possible I'll have another script that may try to include/require a file that has been previously included/required.

evil_stevo Newbie

evil_stevo

Posted
  • Author
Posted

So, I'm thinking it's fine if I have another piece of code in there after wards that needs reconnecting to the database. All I'll have to do is add include "connect.php" and "disconnect.php" again. Shouldn't be any problems right as long as I don't over do it?

Pikachu2000 Prolific Member

Pikachu2000

Posted
Posted

I never include an explicit call to mysql_close(). From the PHP manual: 'Using mysql_close() isn't usually necessary, as non-persistent open links are automatically closed at the end of the script's execution.'.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.