Jump to content

Login secure help

ananaz

By ananaz
in PHP Coding Help

 Share

Recommended Posts

ananaz Member

ananaz

Posted
Posted

Hello, I want to know if my login php is secure or if it's easily hacked by anyone.

 

 

mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$gmtUnixTime = time();
$tUnixTime = $gmtUnixTime + 3600;
$sGMTMySqlString = gmdate("Y-m-d H:i:s", $tUnixTime);

// Parse the String into a new UNIX Timestamp
$tParsedTime = strtotime($sGMTMySqlString . " GMT");



$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");




$sql = "UPDATE $tbl_name SET senast = '$sGMTMySqlString' WHERE username = '$myusername'";
mysql_query($sql) or die(mysql_error());


$_SESSION['user']="$myusername";
$_SESSION['senastlog']="$sGMTMySqlString";
header("location:index.php");

}
else {
header("location:failed.php");
}

ob_end_flush();
?>

Link to comment
Share on other sites
beegro Newbie

beegro

Posted
Posted

In terms of security you're doing 2 less-than-secure things here. 

[*]storing a users password in plain text in the database

[*]storing the users password in the session

 

Is there a reason you'd need the password again later in the session and not just for comparison at login?  Also, if someone, including other developers, get into the database and can see all the users individual passwords then their accounts are compromised.  It's simply bad practice to store passwords in plain text.

Link to comment
Share on other sites
BlueSkyIS Newbie

BlueSkyIS

Posted
Posted

session_register() is deprecated. use $_SESSION['somevalue']

 

but i don't know why you'd want session_register("myusername") or session_register("mypassword") anyway, so delete those lines.

 

ob_end_flush() seems pointless, so i would remove it and add exit() after each header() call.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.