My Login System

[tamumech]

Hi all.

 

I wanted to run this by you guys to make sure I'm not making any huge security mistakes.  As suggested before, each page generates a random token that is required by the next page.

 

My Login page:

<?php

// If it hasn't been submitted
if ( !$_POST[login_submit] )
{
include ("login_form.inc");
die();
}

// Check for blanks
foreach ($_POST as $input )
{
if ( $input == "" )
	{
	echo "You must enter a Username and Password.";
	include ("login_form.inc");
	die();
	}
}

// Encrypt password
$crypt_pass = md5($_POST[password]);

// Verify user
include("today.inc");
$connect = mysql_connect($host, $user, $pass) or die('Failure to connect to Database.  Please contact us at customer support');
$db_connect = mysql_select_db($db) or die ('Failure to select Database.  Please contact us at customer support');
$select = "SELECT email FROM schools WHERE email = '$_POST[email]' AND password = '$crypt_pass'";
$result = mysql_query($select) or die('Could not execute query');
$num_rows = mysql_num_rows($result);
// Start session and redirect
if ( $num_rows > '0' )
	{
	session_start();
	session_regenerate_id();
	$_SESSION['auth'] = TRUE;
	$token = md5(uniqid(rand(),TRUE));
	$_SESSION['token'] = $token;
	header("Location: http://www.website.com?token=$token");	
	}
// get outta my house	
else
	{
	echo "Invalid Username or Password.";
	include ("login_form.inc");
	die();		
	}

?>

 

And the includes file at the top of every restricted page:

<?php 
session_start();
if ( $_SESSION['auth'] != "TRUE" || $_SESSION['token'] != $_GET['token'] )
{
header('Location: login.php');
die();
}
$token = md5(uniqid(rand(),TRUE));
$_SESSION['token'] = $token;
?>

 

An example page:

<?php 
include("top.inc");
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>

<body>
<a href="player_counter.php<?php echo "?token=$token" ?>">Click Here</a>
<p>Members Only</p>
</body>
</html>

[teng84]

fro some case use header not include

[tamumech]

OK.

 

So I'm assuming I handled the tokens correctly?

[-Mike-]

In your queries.

$select = "SELECT email FROM schools WHERE email = '$_POST' AND password = '$crypt_pass'";

 

Yikes!

 

$_POST

 

That's trusting people to be good! You could put anything you like into the email field, and it'll run a query based upon that.

 

It's called "sql injection", and your vulnerable.

 

Escape anything that use to query a database that is got from anywhere at all - so page numbers, article ids... usernames.

 

$email = mysql_real_escape_string($_POST['email']);

Then use $email in the query.

 

 

Personally I first do a regex against emails to check their format, if it's okay - then I will do the mysql_real_escape_string and search the database.

No point doing a search on something that's not going to be there in my opinion

You crypt the passwords entered value, but for "good practice" i think you should also do the same there:

$crypt_pass = mysql_real_escape_string($crypt_pass);

 

No doubt more knowledgeable people will give better advice, or more complete advice, where applicable (or correct me where wrong).

[cluce]

you may also want to do something like this before sending data to your sql

 

 

//trims and strips tags and escapes fields

$checkuser = mysqli_real_escape_string($mysqli,trim(strip_tags($_POST['username'])));

$checkpassword = mysqli_real_escape_string($mysqli,trim(strip_tags($_POST['password'])));

[tamumech]

whew!

 

I didn't even think of data checking here.  For some reason I thought I took care of all that during registration.

 

Thanks for the heads up!