jbingman Posted October 10, 2007 Share Posted October 10, 2007 Hi, I have a login script and i would like to know how to make it more secure. <? include('/home/fresnosa/public_html/includes/dbConfig.php'); if($_GET['do'] == 'check') { $username = $_POST['username']; $password = $_POST['password']; $conn = mysql_connect($host, $user, $pass) or die('Could not connect: ' . mysql_error()); //select database mysql_select_db($db, $conn) or die('Could not select database'); $result = mysql_query("SELECT * FROM users WHERE user='$username'") or die(mysql_error()); $row = mysql_fetch_array( $result ); if($row['user'] == '') { echo "<b>username or password is incorrect</b><br>"; } else { if($row['password'] == $password) { $_SESSION['logged'] = "true"; $_SESSION['user'] = $username; header("location: admin.php"); } else { echo "<b>username or password is incorrect</b><br>"; } } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/72554-solved-login-script-security/ Share on other sites More sharing options...
MadTechie Posted October 10, 2007 Share Posted October 10, 2007 holly hell.. filter the username for starter... // incase you have magic quotes on if (get_magic_quotes_gpc()) { $value = stripslashes($value); } $username = mysql_real_escape_string($_POST['username']); EDIT: Updated (incase of magic quotes) ALSO, your password should be hashed (readup on MD5) basic idea, when they enter the password you use $newpass = MD5($pass); then do the same when you verify it, (also read up on MD5+SALT) i'm sure other here will give to the info as well Quote Link to comment https://forums.phpfreaks.com/topic/72554-solved-login-script-security/#findComment-365864 Share on other sites More sharing options...
jbingman Posted October 10, 2007 Author Share Posted October 10, 2007 where would i put that. what does that do? Quote Link to comment https://forums.phpfreaks.com/topic/72554-solved-login-script-security/#findComment-365868 Share on other sites More sharing options...
MadTechie Posted October 10, 2007 Share Posted October 10, 2007 it basically filters, the input.. put it this way.. without the filter i could (without a user account) drop (remove) all your databases from your site.. Full code, <? include('/home/fresnosa/public_html/includes/dbConfig.php'); if($_GET['do'] == 'check') { //added // incase you have magic quotes on if (get_magic_quotes_gpc()) { $value = stripslashes($value); } //updated $username = mysql_real_escape_string($_POST['username']); $password = $_POST['password']; $conn = mysql_connect($host, $user, $pass) or die('Could not connect: ' . mysql_error()); //select database mysql_select_db($db, $conn) or die('Could not select database'); $result = mysql_query("SELECT * FROM users WHERE user='$username'") or die(mysql_error()); $row = mysql_fetch_array( $result ); if($row['user'] == '') { echo "<b>username or password is incorrect</b><br>"; } else { if($row['password'] == $password) { $_SESSION['logged'] = "true"; $_SESSION['user'] = $username; header("location: admin.php"); } else { echo "<b>username or password is incorrect</b><br>"; } } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/72554-solved-login-script-security/#findComment-365872 Share on other sites More sharing options...
jbingman Posted October 10, 2007 Author Share Posted October 10, 2007 everything else works but i cant find how to incorporate md5+salt and the msyql_real_escape_string() function isn't working. Quote Link to comment https://forums.phpfreaks.com/topic/72554-solved-login-script-security/#findComment-366565 Share on other sites More sharing options...
MadTechie Posted October 10, 2007 Share Posted October 10, 2007 what do you mean by isn't working ? error message? Quote Link to comment https://forums.phpfreaks.com/topic/72554-solved-login-script-security/#findComment-366568 Share on other sites More sharing options...
jbingman Posted October 10, 2007 Author Share Posted October 10, 2007 yes it gives me this: Fatal error: Call to undefined function msql_real_escape_string() in /home/fresnosa/public_html/admin/login.php on line 49 Quote Link to comment https://forums.phpfreaks.com/topic/72554-solved-login-script-security/#findComment-366579 Share on other sites More sharing options...
darkfreaks Posted October 10, 2007 Share Posted October 10, 2007 try <?php $username= $_POST[username]; $username= mysql_real_escape_string($username); ?> this should work Quote Link to comment https://forums.phpfreaks.com/topic/72554-solved-login-script-security/#findComment-366581 Share on other sites More sharing options...
Aureole Posted October 10, 2007 Share Posted October 10, 2007 You made a typo, you missed the "y" on mysql_real_escape_string() ... Quote Link to comment https://forums.phpfreaks.com/topic/72554-solved-login-script-security/#findComment-366582 Share on other sites More sharing options...
darkfreaks Posted October 10, 2007 Share Posted October 10, 2007 LOL Quote Link to comment https://forums.phpfreaks.com/topic/72554-solved-login-script-security/#findComment-366584 Share on other sites More sharing options...
jbingman Posted October 10, 2007 Author Share Posted October 10, 2007 yeah well either way i still get it if i spell it right, now i get: arning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'fresnosa'@'localhost' (using password: NO) in /home/fresnosa/public_html/admin/login.php on line 50 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/fresnosa/public_html/admin/login.php on line 50 Quote Link to comment https://forums.phpfreaks.com/topic/72554-solved-login-script-security/#findComment-366595 Share on other sites More sharing options...
MadTechie Posted October 10, 2007 Share Posted October 10, 2007 move the code down //updated - MOVED! $username = mysql_real_escape_string($_POST['username']); $password = $_POST['password']; full code <? include('/home/fresnosa/public_html/includes/dbConfig.php'); if($_GET['do'] == 'check') { //added // incase you have magic quotes on if (get_magic_quotes_gpc()) { $value = stripslashes($value); } $conn = mysql_connect($host, $user, $pass) or die('Could not connect: ' . mysql_error()); //select database mysql_select_db($db, $conn) or die('Could not select database'); //updated - MOVED! $username = mysql_real_escape_string($_POST['username']); $password = $_POST['password']; $result = mysql_query("SELECT * FROM users WHERE user='$username'") or die(mysql_error()); $row = mysql_fetch_array( $result ); if($row['user'] == '') { echo "<b>username or password is incorrect</b><br>"; } else { if($row['password'] == $password) { $_SESSION['logged'] = "true"; $_SESSION['user'] = $username; header("location: admin.php"); } else { echo "<b>username or password is incorrect</b><br>"; } } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/72554-solved-login-script-security/#findComment-366597 Share on other sites More sharing options...
jbingman Posted October 10, 2007 Author Share Posted October 10, 2007 oh perfect that works thanks for you help! Quote Link to comment https://forums.phpfreaks.com/topic/72554-solved-login-script-security/#findComment-366598 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.