I have set up a login form, not sure how secure it is, the code is below. Is this the most secure way to do this or is there something I can do better.. the code is in the reply below.
@cjc1055authorFeb 02.2007 — #To clarify.. what I'm trying to make sure is that no one can view the pages past the login, because I am planning to house information past that login which I don't want anyone to be able to view other than registered users.
I am new to sessions so I want to make sure this site isn't hackable so people won't be able to bypass the login.
@bokehFeb 02.2007 — #It would be helpful if you were to post your code if you are looking for security vulnerabilities, rather than expect people to waste their time trying to hack the site.
@cjc1055authorFeb 02.2007 — #Sorry, didn't really think about that ?
what I am using is a validation page that checks the mysql database for the username entered and checks if the password matches, if it does
session_register('username');
then every page that requires authentication uses if (session_is_registered('username')) { show all page info; } else { you must be logged in... etc. }
@cjc1055authorFeb 02.2007 — #And this is on top of every other page....[code=php]<?php session_start(); ?> <? if (session_is_registered(username) || session_is_registered(usernameadmin)) { show page } else { echo "login failed"; } ?>[/code]
@NightShift58Feb 03.2007 — #(1) To prevent SQL injections, do not use:[code=php] $sql = "SELECT * FROM logintable WHERE username = '". $_POST['username'] ."'"; [/code]Ensure that you POST variables are run through mysql_real_escape_string().
(2) It seems that the passwords in your table are stored in clear text. Not a good idea. You should encrypt them before you start sending them back and forth across the internet.
(3) Not a security issue, but after the query you are again checking if the user names match. It's a little redundant as you wouldn't have gotten this far if they didn't.
(4) You should limit your query to 1 row with "LIMIT 1". There should be not more than 1 user with that user name.
(5) You are using $sql for both the SQL statement string and the resource name. It's unusual but not dangerous.
@cjc1055authorFeb 03.2007 — #Ok, I added this to above the sql statement: [code=php]$_POST['username'] = mysql_real_escape_string($_POST['username']); [/code]
I've also encrypted the passwords.
I also removed the second check if the usernames match.