Results 1 to 4 of 4
Thread: Secure Enough?
-
10-06-2006, 09:17 AM #1WHT Addict
- Join Date
- Sep 2004
- Posts
- 167
Secure Enough?
I created the below script and am curious if it is 'secure' enough to use for a login script on my site. I used ($_SESSION["user"]=='') in the second script because if I used (!isset($_SESSION["user"])) it would sometimes think that the blank session was a valid login. Any way I can prevent that?
Process Login
PHP Code:<?php
// START SESSION
session_start();
include '../header.php';
$user=$_POST['user'];
$pass=$_POST['pass'];
$pass=md5($pass);
// CHECK IF USER EXISTS
$db = mysql_connect($db_host,$db_user,$db_pass);
mysql_select_db ($db_name) or die ("Cannot connect to database");
$query = "SELECT * FROM users WHERE user = '$user' AND pass = '$pass'";
$result = mysql_query($query);
$rf=mysql_fetch_array($result);
$status=$rf['status'];
$rows=mysql_num_rows($result);
if ($rows==0)
{
$message='Sorry, your username and/or password is incorrect. Please contact support.';
$_SESSION["user"]='';
}
elseif ($status=='inactive')
{
// GIVE THE BAD NEWS
$message='Sorry, your account is not active. Please contact support.';
$_SESSION["user"]='';
}
else
{
// SET SESSION VARIABLES
$_SESSION["user"]=$user;
header('Location: home/index.php');
}
?>
PHP Code:<?php
session_start();
if ($_SESSION["user"]=='')
{
// NOT LOGGED IN - SEND TO LOGIN PAGE
header('Location: login.php');
}
?>Last edited by MyFocal; 10-06-2006 at 09:21 AM.
Bobbie
Cornerstone IT
-
10-06-2006, 10:27 AM #2Web Hosting Master
- Join Date
- Mar 2006
- Posts
- 984
File 1:
PHP Code:<?php
// START SESSION
session_start();
define('ROOT_PATH', '../');
include (ROOT_PATH.'header.php');
$user = (isset($_POST['user'])) ? (stripslashes(trim($_POST['user']))) : "";
$pass = (isset($_POST['pass'])) ? md5(trim($_POST['pass'])) : "";
// CHECK IF USER EXISTS
if (!empty($db)) {
unset($db);
}
$db = mysql_connect($db_host, $db_user, $db_pass);
mysql_select_db ($db_name, $db) or die ("Cannot connect to database");
$query = "SELECT * FROM users WHERE user = '" .mysql_real_escape_string($user)."' AND pass = '".mysql_real_escape_string($pass)."'";
$result = mysql_query($query);
if ($rf = mysql_fetch_array($result)) {
$status = (isset($rf)) ? trim($rf['status']) : "";
$rows = @mysql_num_rows($result);
}
if (empty($rows))
{
$message = 'Sorry, your username and/or password is incorrect. Please contact support.';
$_SESSION["user"] = GUEST;
echo htmlspecialchars(trim($message));
unset ($message);
}
elseif ($status == 'inactive' || empty($user) || empty($pass) || !isset($_SESSION['user']) || !isset($_SESSION['pass']))
{
// GIVE THE BAD NEWS
$message = 'Sorry, your account is not active. Please contact support.';
$_SESSION["user"] = GUEST;
echo htmlspecialchars(trim($message));
unset ($message);
}
else
{
// SET SESSION VARIABLES
if (!empty($user) && $user == $rf['user'] && !empty($pass) && $rf['pass'] == $pass) {
$_SESSION["user"] = $user;
header('Location: home/index.php');
}
}
?>
PHP Code:<?php
session_start();
if (empty($_SESSION['user') || !isset($_SESSION['user']) || empty($_SESSION['pass']) || !isset($_SESSION['pass']))
{
// NOT LOGGED IN - SEND TO LOGIN PAGE
header('Location: login.php');
}
?>
Another suggestion would be to consider to expand your $user and $pass variable in order to increase security during check-up.
Other than that, I believe it's quite flexible for a startup script.Last edited by horizon; 10-06-2006 at 10:41 AM.
-
10-06-2006, 10:30 AM #3Living the dream
- Join Date
- May 2005
- Location
- Planet Earth
- Posts
- 813
First of all,
your script isn't checking user input, you could be attacked with simple SQL injections.
$user and $pass should be taken care of.
You should use mysql_real_escape_string() or any other protection agains't special characters.
Other than that I don't like to 'GRANT' access in the 'else' statement, you never know what your database could return you.
Also, I would personnaly prefer to start someone's session only if he's succesfully logged in rather then setting him a blank username. But it may work as well..
Regards,
G█ PutFile.io — Disrupting traditional file hosting.
█ Signup Early and enjoy Unlimited space/bandwidth for your files hosting, Forever!
█ No Ads.
█ No Countdowns.
-
10-06-2006, 10:38 AM #4Web Hosting Master
- Join Date
- Mar 2006
- Posts
- 984
Took care of some things above after I posted this the first time. Post has been modified.