Jump to content

Login script help

master82

By master82
in PHP Coding Help

 Share

Recommended Posts

master82 Regular Member

master82

Posted
Posted
Hello - I've created a rather messy user authentication script that is used once a user fills out the login form...

[code]
<?php
//start sessions
session_start();
//Delete current sessions
if($_SESSION['userid']){
unset($_SESSION['userid']);
}
if($_SESSION['employ']){
unset($_SESSION['employ']);
}
//call connection data
include("db.php");
//check username field populated
if($_POST['user'] == "") {
die("No username entered");
}
//check password field populated
if($_POST['password'] == "") {
die("No password entered");
}
//convert password to md5
$securepass = md5($_POST['password']);
//check username matches password
$checkit = "SELECT userid FROM users WHERE username = '".$_POST['user']."' AND password = '$securepass'";
$result = mysql_query($checkit,$db) or die("Details incorrect");
while ($newArray = mysql_fetch_array($result)) {
$userid = $newArray['userid'];
$banned = $newArray['banned'];
}
//check if banned
if (mysql_num_rows($result) == 1) {
if ($banned > 0 ) {
die("You are currently banned for another $banned days");
}
//create session data
$_SESSION['userid'] = $userid;
$_SESSION['employ'] = 1;
//set ip
$ip = ($_SERVER['HTTP_X_FORWARDED_FOR'])
    ?  $_SERVER['HTTP_X_FORWARDED_FOR']
    :  $_SERVER['REMOTE_ADDR'];
//set session id
$sesid = session_id();
//update ip in user table
$updateip = mysql_query("Update users SET lastip = '$ip' WHERE username = '".$_POST['user']."' AND password = '$securepass'");
//update last active in user table
$updateactive = mysql_query("Update users SET lastactive = unix_timestamp() WHERE username = '".$_POST['user']."' AND password = '$securepass'");
//update session id in user table
$updatesid = mysql_query("Update users SET sessionid = '$sesid' WHERE username = '".$_POST['user']."' AND password = '$securepass'");
//all checks complete - redirect
header("Location: home.php");
}
else
{
//fail - redirect back to login page
header("Location: index.php");
}
?>
[/code]

Is there anything I could add to make it more secure or to prevent possible hacks or forced entry?

Thanks in advance
Link to comment
Share on other sites
Shad Newbie

Shad

Posted
Posted
try to use elseif, its faster and easier. Also, dont insert data straight from a post into the database, you can be easily SQL injected. for example,
[code=php:0]$checkit = "SELECT userid FROM users WHERE username = '".$_POST['user']."' AND password = '$securepass'";[/code]
should be
[code=php:0]$user = htmlspecialchars($_POST['user']);
$checkit = "SELECT userid FROM users WHERE username = '$user' AND password = '$securepass'";[/code]
[/code]

and for here:
[code=php:0]$updateip = mysql_query("Update users SET lastip = '$ip' WHERE username = '".$_POST['user']."' AND password = '$securepass'");
//update last active in user table
$updateactive = mysql_query("Update users SET lastactive = unix_timestamp() WHERE username = '".$_POST['user']."' AND password = '$securepass'");
//update session id in user table
$updatesid = mysql_query("Update users SET sessionid = '$sesid' WHERE username = '".$_POST['user']."' AND password = '$securepass'");
//all checks complete - redirect[/code]

make it all in one:

[code=php:0]$update = mysql_query("Update users SET lastip = '$ip',lastactive = unix_timestamp(),sessionid = '$sesid' WHERE username = '".$_POST['user']."' AND password = '$securepass'");[/code]
Link to comment
Share on other sites
alpine Member

alpine

Posted
Posted
Like this:
[code]

<?php

session_start();

if(isset($_SESSION['userid'])) $_SESSION['userid'] = null;
if(isset($_SESSION['employ'])) $_SESSION['employ'] = null;

include("db.php");

if(!empty($_POST['user']) || !empty($_POST['password']))
{
$username = htmlspecialchars($_POST['user']);
$securepass = md5($_POST['password']);
$checkit = mysql_query("SELECT userid,banned FROM users WHERE password = '$securepass' AND username = '$username'");
if(mysql_num_rows($checkit) <> 1)
{
  die("No valid user found");
}
else
{
$newArray = mysql_fetch_array($checkit);
$userid = $newArray['userid'];
$banned = $newArray['banned'];

if ($banned > 0 ) die("You are currently banned for another $banned days");

$_SESSION['userid'] = $userid;
$_SESSION['employ'] = 1;
$ip = ($_SERVER['HTTP_X_FORWARDED_FOR'])
    ?  $_SERVER['HTTP_X_FORWARDED_FOR']
    :  $_SERVER['REMOTE_ADDR'];
$sesid = session_id();
$update = mysql_query("
Update users SET lastip = '$ip',
lastactive = unix_timestamp(),
sessionid = '$sesid'
WHERE username = '$username' AND password = '$securepass'");
if($update)
{
header("Location: home.php");
exit();
}
else
{
die("Login failed to complete, try again");
}
}
}
else
{
header("Location: index.php");
}
?>

[/code]
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.