Jump to content

secure login script verify


dsp77

Recommended Posts

Hello,

I made an login script, it works but i want to be sure if its secure to use in everyday use, here is the script:

 

<?php
session_start();

require_once('include/config.inc.php');
require_once('include/functions.php');

function clean($str, $encode_ent = false) {
$str  = @trim($str);
if ($encode_ent) {
	$str = htmlentities($str);
}
if (version_compare(phpversion(),'4.3.0') >= 0) {
	if (get_magic_quotes_gpc()) {
		$str = stripslashes($str);
	}
	if (@mysql_ping()) {
		$str = mysql_real_escape_string($str);
	}
	else {
		$str = addslashes($str);
	}
}
else {
	if (!get_magic_quotes_gpc()) {
		$str = addslashes($str);
	}
}
return $str;
}

if (isset($_POST['submit'])) {
if ($_POST['code'] == $_SESSION['rand_code']) {	
	//Sanitize the POST values
	$username = clean($_POST['username']);
	$password = clean($_POST['password']);
	$ip       = clean($_SERVER['REMOTE_ADDR']);

	$query="SELECT * FROM user WHERE username='$username' AND password='".md5($_POST['password'])."'";
	$result=mysql_query($query);

	//Check whether the query was successful or not
	if ($result) {
		if (mysql_num_rows($result) == 1) {
			//Login Successful
			session_regenerate_id();
			$user = mysql_fetch_assoc($result);
			$_SESSION['SESS_MEMBER_ID'] = $user['username'];
			session_write_close();

			$query_login_ok = "INSERT INTO logs (`username`, `password`, `result`, `ip`) VALUES ('$username', '$password', 'SUCCESS', '$ip');";
			$result_query_login_ok = mysql_query($query_login_ok) or die('MYSQL ERROR');

			header("location: pmt.php");

			exit();
		} else {
			//Login failed
			$query_login_fail = "INSERT INTO logs (`username`, `password`, `result`, `ip`) VALUES ('$username', '$password', 'FAILED', '$ip');";
			$result_query_login_fail = mysql_query($query_login_fail) or die('MYSQL ERROR');

			header("location: index.php");

			exit();
		}
	} else {
		die("ERROR");
	}
}
}
?>
<form id="login" name="login" method="post" action="">
  <table width="300" border="0" align="center" cellpadding="2" cellspacing="0">
    <tr>
      <td width="112"><b>Username</b></td>
      <td width="188"><input name="username" type="text" class="textfield" id="username" value="admin" /></td>
    </tr>
    <tr>
      <td><b>Password</b></td>
      <td><input name="password" type="password" class="textfield" id="password" value="qazwsx" /></td>
    </tr>
    <img src="include/captcha.php"/>
    <tr>
      <td><b>Code</b></td>
      <td><input type="text" name="code" /></td>
    </tr>
    <tr>
      <td> </td>
      <td><input type="submit" name="submit" value="Login" /></td>
    </tr>
  </table>
</form>

 

Link to comment
Share on other sites

You're storing passwords in the log table as plain text that's not secure.

 

Other points:

 

1. bad: if (isset($_POST['submit'])) {

 

2. Calling mysql_ping() everytime you want to clean a var is pointless, just add a check in the db connect script to test for a successful connection.

Link to comment
Share on other sites

Thank you for the answers.

I forgot to remove the $password from succes login.

Removed the clean from password you're right there is no need 2 clean.

why is bad using if (isset($_POST['submit'])) {}

 

i replaced the function clean with:

	function clean($str) {
	$str = @trim($str);
	if(get_magic_quotes_gpc()) {
		$str = stripslashes($str);
	}
	return mysql_real_escape_string($str);
}

Link to comment
Share on other sites

If you're storing the password in plaintext, why are you attempting to SELECT it's md5 hashed value?

 

He is storing the password hashed in the users table, but is also inserting each login attempt into the logs table where he stores the password as plaintext. No need to be storing the password in the logs table.

Link to comment
Share on other sites

the password stored in logs was not intended i just copied the line and forgot 2 remove it, now i have it like this

$query_login_ok = "INSERT INTO logs (`username`, `password`, `result`, `ip`) VALUES ('$username', '*******', 'SUCCESS', '$ip');";

i changed the if (isset($_POST['submit'])) {} to if($_SERVER['REQUEST_METHOD'] == 'POST')

 

Thank you for the help guys, i'm happy now because my script is secure :)

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.