The Little Guy Posted December 21, 2006 Share Posted December 21, 2006 What would make for a "Secure Login"?I don't really know If my code is "Secure" or not.I use somthing simular to this:[code]<?phpsession_start();if(!isset($_POST['submit'])){ header("Location: login.php");}else{ include"db.php"; //Include connections to database $sql = mysql_query("SELECT * FROM users WHERE user='".addslashes($_POST['username'])."' AND password='".addslashes($_POST['password'])."' LIMIT 1")or die(mysql_error()); $row = mysql_fetch_array($sql); if(!$row){ $_SESSION['error'] = '<span class="redtxt">Incorrect User name or Password</span>'; header("Location: login.php"); }else{ $_SESSION['user'] = $row['user']; //User name $_SESSION['id'] = $row['user_id']; //Auto incremented user id $_SESSION['first_name'] = $row['fname']; //First Name $_SESSION['last_name'] = $row['lname']; //Last Name /*Any other sessions go here except for passwords*/ $_SESSION['loggedin'] = 1; header("Location: user.php"); //The users page }}?>[/code]Once the user has logged in, on all the pages that contains information about them, or for them, I add this as the very first line of code:[code]<?phpsession_start();if($_SESSION['loggedin'] != 1){ header("Location: login.php");}//The rest of the document?> [/code]Any thoughts on my method? Link to comment https://forums.phpfreaks.com/topic/31538-secure-logins/ Share on other sites More sharing options...
ted_chou12 Posted December 21, 2006 Share Posted December 21, 2006 What mine is, is its composed of a function, my login script sets a function, and if that function is true, then it lets the user see the page else, it redirects, I dont know about if it is safe or not, btw, I use session as well.Ted. Link to comment https://forums.phpfreaks.com/topic/31538-secure-logins/#findComment-146136 Share on other sites More sharing options...
alpine Posted December 21, 2006 Share Posted December 21, 2006 Have a go on this thread + search around - this is a widely discussed issue.http://www.phpfreaks.com/forums/index.php/topic,118229.0.htmlAs a hint, your current script is open to injection attacs.*EDIT* You edited the post to include addslashes() after my post here, BUT you should really be checking the get_magic_quotes_gpc status to prevent double slashing. Make your self a user defined Safe() function where you set the input sanitation, makes it much easier to controll site-wide as time passes and things changes. Link to comment https://forums.phpfreaks.com/topic/31538-secure-logins/#findComment-146137 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.