Results 1 to 4 of 4

Thread: Secure Enough?

  1. #1

    Secure Enough?

    I created the below script and am curious if it is 'secure' enough to use for a login script on my site. I used ($_SESSION["user"]=='') in the second script because if I used (!isset($_SESSION["user"])) it would sometimes think that the blank session was a valid login. Any way I can prevent that?

    Process Login
    PHP Code:
    <?php
        
    // START SESSION
        
    session_start();

        include 
    '../header.php';
        
        
    $user=$_POST['user'];
        
    $pass=$_POST['pass'];
        
    $pass=md5($pass);
        
        
    // CHECK IF USER EXISTS
        
    $db mysql_connect($db_host,$db_user,$db_pass);
        
    mysql_select_db ($db_name) or die ("Cannot connect to database");
        
    $query "SELECT * FROM users WHERE user = '$user' AND pass = '$pass'";
        
    $result mysql_query($query);
        
    $rf=mysql_fetch_array($result);
        
    $status=$rf['status'];
        
    $rows=mysql_num_rows($result);
        
        if (
    $rows==0)
        {
            
    $message='Sorry, your username and/or password is incorrect.  Please contact support.';
            
    $_SESSION["user"]='';
        }
        elseif (
    $status=='inactive')
        {
            
    // GIVE THE BAD NEWS
            
    $message='Sorry, your account is not active.  Please contact support.';
            
    $_SESSION["user"]='';
        }
        else
        {
            
    // SET SESSION VARIABLES
            
    $_SESSION["user"]=$user;
            
    header('Location: home/index.php');
        }
    ?>
    Check If User Is Logged In (ALL Protected Pages)
    PHP Code:
    <?php
        session_start
    ();

        if (
    $_SESSION["user"]=='')
        {
            
    // NOT LOGGED IN - SEND TO LOGIN PAGE
            
    header('Location: login.php');
        }
    ?>
    Last edited by MyFocal; 10-06-2006 at 09:21 AM.

  2. #2
    Join Date
    Mar 2006
    Posts
    984
    File 1:

    PHP Code:
    <?php
    // START SESSION
    session_start();
     
    define('ROOT_PATH''../');
    include (
    ROOT_PATH.'header.php');
     
    $user = (isset($_POST['user'])) ? (stripslashes(trim($_POST['user']))) : ""
    $pass = (isset($_POST['pass'])) ? md5(trim($_POST['pass'])) : "";
     
    // CHECK IF USER EXISTS
     
    if (!empty($db)) {
    unset(
    $db);
    }
     
    $db mysql_connect($db_host$db_user$db_pass);
    mysql_select_db ($db_name$db) or die ("Cannot connect to database");
    $query "SELECT * FROM users WHERE user = '" .mysql_real_escape_string($user)."' AND pass = '".mysql_real_escape_string($pass)."'";
    $result mysql_query($query);
     
    if (
    $rf mysql_fetch_array($result)) {
    $status = (isset($rf)) ? trim($rf['status']) : "";
    $rows = @mysql_num_rows($result);
    }
     
    if (empty(
    $rows))
    {
    $message 'Sorry, your username and/or password is incorrect. Please contact support.';
    $_SESSION["user"] = GUEST;
    echo 
    htmlspecialchars(trim($message));
    unset (
    $message);
     
    }
    elseif (
    $status == 'inactive' || empty($user) || empty($pass) || !isset($_SESSION['user']) || !isset($_SESSION['pass']))
    {
    // GIVE THE BAD NEWS
    $message 'Sorry, your account is not active. Please contact support.';
    $_SESSION["user"] = GUEST;
    echo 
    htmlspecialchars(trim($message));
    unset (
    $message);
     
    }
    else
    {
     
    // SET SESSION VARIABLES
    if (!empty($user) && $user == $rf['user'] && !empty($pass) && $rf['pass'] == $pass) {
    $_SESSION["user"] = $user;
    header('Location: home/index.php');
    }
    }
    ?>
    File 2:

    PHP Code:
    <?php
    session_start
    ();
     
    if (empty(
    $_SESSION['user') || !isset($_SESSION['user']) || empty($_SESSION['pass']) || !isset($_SESSION['pass']))
    {
    // NOT LOGGED IN - SEND TO LOGIN PAGE
    header('Location: login.php');
    }
    ?>
    Then, create a define name called: GUEST and set the original initial to: '-1' or something. Never leave a $_SESSION['user'] to empty in case it fails. Returning a negative value would be highly recommended.

    Another suggestion would be to consider to expand your $user and $pass variable in order to increase security during check-up.

    Other than that, I believe it's quite flexible for a startup script.
    Last edited by horizon; 10-06-2006 at 10:41 AM.

  3. #3
    Join Date
    May 2005
    Location
    Planet Earth
    Posts
    813
    First of all,

    your script isn't checking user input, you could be attacked with simple SQL injections.

    $user and $pass should be taken care of.

    You should use mysql_real_escape_string() or any other protection agains't special characters.

    Other than that I don't like to 'GRANT' access in the 'else' statement, you never know what your database could return you.

    Also, I would personnaly prefer to start someone's session only if he's succesfully logged in rather then setting him a blank username. But it may work as well..

    Regards,

    G
    PutFile.io — Disrupting traditional file hosting.
    █ Signup Early and enjoy Unlimited space/bandwidth for your files hosting, Forever!
    █ No Ads.
    █ No Countdowns.

  4. #4
    Join Date
    Mar 2006
    Posts
    984
    Took care of some things above after I posted this the first time. Post has been modified.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •