ananaz Posted January 21, 2011 Share Posted January 21, 2011 Hello, I want to know if my login php is secure or if it's easily hacked by anyone. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); // Define $myusername and $mypassword $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; // To protect MySQL injection (more detail about MySQL injection) $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); $gmtUnixTime = time(); $tUnixTime = $gmtUnixTime + 3600; $sGMTMySqlString = gmdate("Y-m-d H:i:s", $tUnixTime); // Parse the String into a new UNIX Timestamp $tParsedTime = strtotime($sGMTMySqlString . " GMT"); $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register $myusername, $mypassword and redirect to file "login_success.php" session_register("myusername"); session_register("mypassword"); $sql = "UPDATE $tbl_name SET senast = '$sGMTMySqlString' WHERE username = '$myusername'"; mysql_query($sql) or die(mysql_error()); $_SESSION['user']="$myusername"; $_SESSION['senastlog']="$sGMTMySqlString"; header("location:index.php"); } else { header("location:failed.php"); } ob_end_flush(); ?> Quote Link to comment Share on other sites More sharing options...
beegro Posted January 21, 2011 Share Posted January 21, 2011 In terms of security you're doing 2 less-than-secure things here. [*]storing a users password in plain text in the database [*]storing the users password in the session Is there a reason you'd need the password again later in the session and not just for comparison at login? Also, if someone, including other developers, get into the database and can see all the users individual passwords then their accounts are compromised. It's simply bad practice to store passwords in plain text. Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted January 21, 2011 Share Posted January 21, 2011 session_register() is deprecated. use $_SESSION['somevalue'] but i don't know why you'd want session_register("myusername") or session_register("mypassword") anyway, so delete those lines. ob_end_flush() seems pointless, so i would remove it and add exit() after each header() call. Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted January 21, 2011 Share Posted January 21, 2011 That code is easily recognizable as being from a tutorial on phpeasystep.com. Their tutorials are largely obsolote, and shouldn't be followed (unless you're still using php4, LOL). Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.