jords Posted October 13, 2015 Share Posted October 13, 2015 I found a simple PHP login script online & i amended it slightly. I'll admit i'm no expert, but there are 2 main problems here.1. Users get logged out after about 1 hour, which gets very annoying several times per day. 2. When a user logs out, it doesn't delete the session correctly because if a different user logs in right away, it remembers the old session variables. <?php // logout? $logout = $_GET["logout"]; if($logout == "1") { // Initialize the session. // If you are using session_name("something"), don't forget it now! session_start(); session_destroy(); // Unset all of the session variables. $_SESSION = array(); // If it's desired to kill the session, also delete the session cookie. // Note: This will destroy the session, and not just the session data! if (ini_get("session.use_cookies")) { $params = session_get_cookie_params(); setcookie(session_name(), '', time() - 3600, $params["path"], $params["domain"], $params["secure"], $params["httponly"] ); } $_SESSION['id'] = ""; $_SESSION['username'] = ""; $_SESSION['password'] = ""; $_SESSION['first'] = ""; $_SESSION['last'] = ""; $_SESSION['email'] = ""; $_SESSION['email2'] = ""; $_SESSION['type'] = ""; $_SESSION['links'] = ""; $_SESSION['links2'] = ""; $_SESSION['abbreviation'] = ""; // Finally, destroy the session. session_start(); session_destroy(); } //Start the Session require('connect.php'); session_start(); //3. If the form is submitted or not. //3.1 If the form is submitted if (isset($_POST['username']) and isset($_POST['password'])){ //3.1.1 Assigning posted values to variables. $username = $_POST['username']; $password = $_POST['password']; //3.1.2 Checking the values are existing in the database or not $query = "SELECT * FROM `user` WHERE username='$username' and password='$password'"; $result = mysql_query($query) or die(mysql_error()); $count = mysql_num_rows($result); while($row = mysql_fetch_array($result)) { $id = $row['id']; $first = $row['first']; $last = $row['last']; $email = $row['email']; $email2 = $row['email2']; $type = $row['type']; $links = $row['links']; $links2 = $row['links2']; $abbreviation = $row['abbreviation']; $abbreviation2 = $row['abbreviation2']; } date_default_timezone_set('America/Los_Angeles'); $timestamp = date('m/d/Y h:i:s', time()); $ip = $_SERVER["REMOTE_ADDR"]; $query2 = "UPDATE user SET lastlogin='$timestamp', ip='$ip' WHERE username='$username' and password='$password'"; $result2 = mysql_query($query2) or die(mysql_error()); //3.1.2 If the posted values are equal to the database values, then session will be created for the user. if ($count == 1){ $_SESSION['id'] = "$id"; $_SESSION['username'] = $username; $_SESSION['password'] = $password; $_SESSION['first'] = $first; $_SESSION['last'] = $last; $_SESSION['email'] = $email; $_SESSION['email2'] = $email2; $_SESSION['type'] = $type; $_SESSION['links'] = $links; $_SESSION['links2'] = $links2; $_SESSION['abbreviation'] = $abbreviation; $_SESSION['abbreviation2'] = $abbreviation2; }else{ //3.1.3 If the login credentials doesn't match, he will be shown with an error message. $error = "<br/><center><font color='red'>Your username or password is incorrect. </font></center>"; } } //3.1.4 if the user is logged in Greets the user with message if (isset($_SESSION['username'])){ header('Location: http://www.thrulinela.com/intranet/index.php'); }else{ //3.2 Display login form. ?> Quote Link to comment Share on other sites More sharing options...
benanamen Posted October 13, 2015 Share Posted October 13, 2015 (edited) So much to say, but a bit short on time at the moment. The biggest thing is that you are using obsolete MySQL code. You need to use Pdo with prepared statements. Your database structure could use improvement as well. You are also storing the timestamp data incorrectly. MySQL has a time stamp data type. You should be using that. Your code is also vulnerable to SQL injection. You never ever send user-supplied data directly to the database. Edited October 13, 2015 by benanamen Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted October 13, 2015 Share Posted October 13, 2015 This code is malware. I don't know if the original author was actually evil-minded or just incompetent, but the result is the same: If you upload this to any server, it will take 5 minutes until the first script kiddie breaks in. So throw this crap away and stop copy-pasting stuff you found “somewhere on the Internet”. I mean, you wouldn't run executables you found “somewhere on the Internet”, right? Learn PHP, learn the basics of security and then write your own code. It's not that hard, and I'm sure we can help you with it. But I don't think anybody is willing to resurrect some garbage script from the 90s. Let it rest in peace. Quote Link to comment Share on other sites More sharing options...
QuickOldCar Posted October 13, 2015 Share Posted October 13, 2015 If you use the default session handler can change the expire times before starting the session. //every 3600 seconds is an hour ini_set('session.gc_maxlifetime', 7200); session_set_cookie_params(7200); session_start(); Quote Link to comment Share on other sites More sharing options...
benanamen Posted October 13, 2015 Share Posted October 13, 2015 By the powers vested in my by no one, I command all knowledgeable coders to not help get this code "working". As @Jacques1 so wisely said, this is evil dirty, bad, nasty code. If I was a mod, this thread would be locked after @Jacques1 answered. Quote Link to comment Share on other sites More sharing options...
jords Posted October 13, 2015 Author Share Posted October 13, 2015 And here i was thinking this was somewhere I could reach out to get help. I didn't write this, I just tried to make use of it. If you think it's not good enough to use, then do you have somewhere you can direct me to find something better, or learn how to code something similar myself. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted October 13, 2015 Share Posted October 13, 2015 See the two links above. I'd do this step-by-step: Start with the basics, then move on to databases, and finally learn the specifics of authentication (password hashing, session management etc.). Like I said, we can definitely help you if you have any questions. Unfortunately, there's no shortcut. Sure, there's free PHP code all over the place, but pretty much all of it is crap and won't get you anywhere. You'll only learn wrong practices and maybe even damage your server. Sure, there are complete authentication systems, but they're very complex and not something you can just copy and adjust. Quote Link to comment Share on other sites More sharing options...
benanamen Posted October 13, 2015 Share Posted October 13, 2015 And here i was thinking this was somewhere I could reach out to get help. You did get help. We hopefully stopped you from using bad code. That was step 1. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.