Results 1 to 1 of 1

Thread: How secure\insecure is this login script (PHP)?

  1. #1
    Flak Monkey! Dorza's Avatar
    Join Date
    Jul 2003
    Location
    UK - South Wales
    Posts
    1,762
    Thanks
    34
    Thanked
    17 times in 15 posts
    • Dorza's system
      • Motherboard:
      • Asus P5B Deluxe - WiFi
      • CPU:
      • Q6600 @ 3.06Ghz
      • Memory:
      • 2GB Crucial
      • Storage:
      • 500GB Samsung SpinPoint
      • Graphics card(s):
      • Geforce 9600GT
      • PSU:
      • Cosair HX520W
      • Case:
      • LianLi something something or other
      • Monitor(s):
      • Eizo FlexScan S1910 (1280*1024)
      • Internet:
      • 2mb Virgin (when they want to give me that: else 1mb)

    How secure\insecure is this login script (PHP)?

    Ok I just finished editing the following login script after finding a tutorial for it on the web. It will be used to log a select few users of a website into the CMS of that particular website.. The tutorial I followed didn’t seem to have anything to prevent sql injection attacks so I added my own safe guards (I think). That’s a very big I think as well. The file config.php contains a function, which escapes any data going into the database, this file is at the end of the post.

    I also created a file called secure.php which when included into another script will prompt the user for login details if they are not logged in. In the original tutorial the code contained in secure.php was only shown in the auth.php script I think. However moving it to a separate file allows me to protect any script to which it is included. I’ve tested it and it seems to work. But I would like any opinions on what I post below. I’m looking for something that’s as secure as possible. Since I'm still inexperienced with the whole php/mysql thing I'd just like an analysis/advice on what’s been done and whether or not it will suffice.

    Here are the scripts:

    Initial Login form:
    PHP Code:
    <form method="post" name="login" action="process.php">
    <p>Username : <input type="text" name="username" /></p>
    <p>Password : <input type="password" name="password" /></p>
    <p><input type="submit" name="submit" value="Submit" /></p>
    </form>
    <?php
    if (isset($_GET['error'])) {
      echo 
    'Invalid login data supplied. Please try again.';
    }
    ?>
    Gets passed to process.php:

    PHP Code:
    <?php 
    session_start
    ();
    require_once 
    'config.php';

    $dbHost ""// Database Connection Details - host
    $dbUser ""// Database Connection Details - username
    $dbPass ""// Database Connection Details - password
    $dbname ""// Database Connection Details - database name

    $username safe($_POST['username']); // Stores our inputted data in these variable names
    //safe() refers to a function in config.php
    $password safe(md5($_POST['password']));// Stores our inputted data in these variable names

    $db mysql_connect($dbHost,$dbUser,$dbPass); // Connection Code
    mysql_select_db($dbname,$db);                 // Connects to database

    $query "SELECT username, password FROM login WHERE username = '$username' AND password = '$password'";
    $result mysql_query($query$db);
    if(
    mysql_num_rows($result)) {
       
    $_SESSION['loggedin'] = 1;
       
    header('Location: http://www.example.com/exampleAdmin/admin.php'); //Successful login
       
    exit(); } 
    else {
       
    header('Location: http://www.example.com/exampleAdmin/form.php?error=1'); //Login not successful redirect back to login form
       
    exit(); }
    ?>
    If successful redirect to the Administration page:

    PHP Code:
    <?php
    require_once 'secure.php';

    ?>
    Welcome to the admin section. <a href="logout.php">Log out</a>.<br />

    <a href="#">Add Content</a> //Example menu item I added
    When the user clicks "Log out" they go to the following script which logs them out:
    PHP Code:
    <?php
    session_start
    ();                          // declare that sessions are being used
    session_unset();                         // unset sessions
    session_destroy();                      // now destory them and remove them from the users browser
    header('Location: http://www.example.com');// Forwards to a new page after logout
    exit();                                    // exit
    ?>
    Extra pages needed for the previous scripts to work

    Any page that needs securing needs to have secure.php included at the top:
    PHP Code:

    <?php
    session_start
    ();

    if(!isset(
    $_SESSION['loggedin'])) {
       
    header('Location: http://www.example.com/exampleAdmin/form.php?error=1');
       exit();
    }
    ?>
    And finally the config.php file that some of the scripts require is:

    PHP Code:
    <?php
    #Cross site Functions Go here

    function safe($string) {
                return 
    mysql_real_escape_string($string);
    }

    #Cross site Variables here
    //None added

    ?>
    Is this an adequate and secure login system for a sites CMS admin pages? Its the first time I've attempted this so as I said before I’m not too sure about its integrity (if that’s the right word). The original tutorial i followed can be seen Here. Though I’ve obviously changed SELECT statement to suite my database structure. Any sort of advice on this would be appreciated as always.
    Last edited by Dorza; 10-02-2006 at 11:37 PM.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Making PHP and MySQL Talk?
    By Dav0s in forum Software
    Replies: 4
    Last Post: 18-09-2005, 10:53 PM
  2. Simple Banner Script Javascript or PHP Advice
    By ikonia in forum Software
    Replies: 2
    Last Post: 12-07-2005, 08:29 PM
  3. Tutorial: The Basics of PHP/MySQL in One Script
    By Durinthiam in forum Software
    Replies: 2
    Last Post: 28-06-2005, 06:52 PM
  4. Login and session handling management
    By Kezzer in forum Software
    Replies: 19
    Last Post: 01-09-2004, 05:02 PM
  5. PHP script errors after moving hosts..
    By Stoo in forum Software
    Replies: 15
    Last Post: 15-07-2004, 12:31 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •