ananaz Posted January 21, 2011 Share Posted January 21, 2011 Hello, I want to know if my login php is secure or if it's easily hacked by anyone. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); // Define $myusername and $mypassword $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; // To protect MySQL injection (more detail about MySQL injection) $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); $gmtUnixTime = time(); $tUnixTime = $gmtUnixTime + 3600; $sGMTMySqlString = gmdate("Y-m-d H:i:s", $tUnixTime); // Parse the String into a new UNIX Timestamp $tParsedTime = strtotime($sGMTMySqlString . " GMT"); $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register $myusername, $mypassword and redirect to file "login_success.php" session_register("myusername"); session_register("mypassword"); $sql = "UPDATE $tbl_name SET senast = '$sGMTMySqlString' WHERE username = '$myusername'"; mysql_query($sql) or die(mysql_error()); $_SESSION['user']="$myusername"; $_SESSION['senastlog']="$sGMTMySqlString"; header("location:index.php"); } else { header("location:failed.php"); } ob_end_flush(); ?> Link to comment https://forums.phpfreaks.com/topic/225204-login-secure-help/ Share on other sites More sharing options...
beegro Posted January 21, 2011 Share Posted January 21, 2011 In terms of security you're doing 2 less-than-secure things here. [*]storing a users password in plain text in the database [*]storing the users password in the session Is there a reason you'd need the password again later in the session and not just for comparison at login? Also, if someone, including other developers, get into the database and can see all the users individual passwords then their accounts are compromised. It's simply bad practice to store passwords in plain text. Link to comment https://forums.phpfreaks.com/topic/225204-login-secure-help/#findComment-1163131 Share on other sites More sharing options...
BlueSkyIS Posted January 21, 2011 Share Posted January 21, 2011 session_register() is deprecated. use $_SESSION['somevalue'] but i don't know why you'd want session_register("myusername") or session_register("mypassword") anyway, so delete those lines. ob_end_flush() seems pointless, so i would remove it and add exit() after each header() call. Link to comment https://forums.phpfreaks.com/topic/225204-login-secure-help/#findComment-1163134 Share on other sites More sharing options...
Pikachu2000 Posted January 21, 2011 Share Posted January 21, 2011 That code is easily recognizable as being from a tutorial on phpeasystep.com. Their tutorials are largely obsolote, and shouldn't be followed (unless you're still using php4, LOL). Link to comment https://forums.phpfreaks.com/topic/225204-login-secure-help/#findComment-1163164 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.