biscoe916 Posted March 8, 2008 Share Posted March 8, 2008 I wrote a script to authorize users upon entry to my website. It works perfectly, but i was wondering if you guys could take a look at my code to see if there are any security holes. Code: <?php session_start(); header("Cache-control: private"); include("connect.php"); if(!$_SESSION["username"] && !$_POST["loginsubmit"]) { echo "Please log in"; ?> <form class="memberform" name="login_form" method="post" action="<?php $_SERVER['PHP_SELF']; ?>"> Username: <input id="stextBox" type="text" name="username" /> <br /> Password: <input id="stextBox" type="password" name="password" /> <br /> <input type="submit" name="loginsubmit" value="Submit" /> </form> <?php exit; } if($_POST["loginsubmit"]) { $username = $_POST["username"]; $password = md5($_POST["password"]); $sql = "SELECT * FROM users WHERE username='". $username ."' AND password='". $password ."'"; $result = mysql_query($sql); $num = mysql_num_rows($result); if($num < 1) { session_destroy(); echo "Invalid username and/or password."; exit; } else { session_register("username"); session_register("password"); $records = mysql_fetch_array($result); if($records["active"] != 1) { session_destroy(); echo "Sorry ". $records["fname"]. " you're account hasn't been activated yet."; exit; } } } // if form submitted ?> Quote Link to comment Share on other sites More sharing options...
biscoe916 Posted March 8, 2008 Author Share Posted March 8, 2008 I realized that i forgot to put session_destroy() if the user wasn't activated yet. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.