1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Secure Login script?

Discussion in 'PHP' started by Jaxo, Nov 13, 2010.

  1. #1
    Hey DigitalPoint,

    I was wondering if this login PHP & MySQL script is safe and secure. Any improvements are definitely welcome!


    I've commented the code a lot to try to help some of you guys to see what I'm doing, because it's a big script and it's easy to get lost :p

    <?php
    $eUsername = $_POST['username']; //Entered username for the form
    $ePassword = $_POST['password']; //Entered password for the form
    $ePassword = hash('ripemd160',$ePassword); //Hashes the password (encrypts) for a safe login.
    
    ////Below is the hack attempt catcher, do not remove
    $logUsername = $_COOKIE['logUsername']; //set a variable to the cookie
    $logPassword = $_COOKIE['logPassword']; //...same as above...
    $logPasswordHASH = hash('ripemd160',$logPassword); //hash the password using a hash algorithm ripemd160 (just an example, please change it if you want)
    $realUsername = mysql_fetch_array(mysql_query("SELECT username FROM $DBmemberTable WHERE password = '$logPasswordHASH'")); //The real username to what the password's username is linked to
    $realUsername = $realUsername[0]; //Array sets to the first value, which is the username
    $realPassword = mysql_fetch_array(mysql_query("SELECT password FROM $DBmemberTable WHERE username = '$logUsername'"));//same thing
    $realPassword = $realPassword[0];//same thing
    if ($logUsername!=$realUsername&&$logPassword!=$realPassword&&$_COOKIE['loggedIn']=="false") {//if something doesn't match up correctly...
        exit("</div><p class='forbox' type='lock'>A hacking attempt has been detected.  You have been locked out of $siteName.  If you reset what you have done, you will be allowed back in.  If this is some sort of error, please contact an administrator.</p>");
    }//stop the rest of the page from loading and kick the user out with a message.
    ////End HAC
    
    if ($_GET['lo']=="true") { //If there is a ?lo=true in the URL (example: index.php?lo=true, do this (lo is log out))
      setcookie("loggedIn", "", time()-90000); //Deletes a cookie that you are logged in
      setcookie("logUsername", "", time()-90000); //Deletes a cookie of your username you are logged in as
      setcookie("logPassword", "", time()-90000); //Deletes a cookie of your password you are logged in as
      header("Location: index.php"); //Redirects you back to the home page if login was successful
    }
    $con = mysql_connect("DB_LOCATION(server)","DB_USERNAME","DB_PASSWORD"); //Connects to the database
    if (!$con) //If it couldn't connect, display an error message and stop displaying the page (that is what die() does)
      {
      die('Could not connect: ' . mysql_error());
      }
    mysql_select_db("DB_NAME", $con); //selects the database
    
    $result = mysql_query("SELECT * FROM `members` WHERE username = '$eUsername'"); //Sets the variable $result to a mysql query, getting the the information of a user according to the user set with $eUsername
    
    while($row = mysql_fetch_array($result)) //Here we turn that information so it is readable by PHP (it is an array)
      {
        if ($ePassword==$row['password']) { //If the entered password is the real password for the username entered...
          setcookie("loggedIn", "true", time()+90000); //Set the cookies as above
          setcookie("logUsername", "$eUsername", time()+90000);
          setcookie("logPassword", "$ePassword", time()+90000);
          header("Location: $curURL?threadID=".$_GET['threadID']."&cID=".$_GET['cID']); //redirect you...
          echo "Password is correct, logging in...";
        }
        else {
          $welcomeMSG = "<span class='usermessage'>Incorrect username/password.  Please try again.</span>"; //if it isnt correct, say that the password/username was incorrect.
        }
    }
      if ($_COOKIE['loggedIn']=="true") {  //If the loggedIn cookie is true, give them information such as to log out
         $welcomeMSG = "<div class='usermessage'>Welcome, <b>".$_COOKIE['logUsername']."!</b> <a href='?lo=true'>Log out?</a>\n<div style='text-align:right;border-top:1px solid #999999;margin-top:5px;'>\n<a href='profile.php'>User Profile</a>\n</div>\n</div>\n\n";
      }
    else { //if a user is not logged in, display this login form, as you can see the form points to this file, with a URL parameter to say to log in
    $loginForm = <<<LoginForm
    <h4 style='padding-bottom:5px;margin-bottom:10px;border-bottom:1px solid #bfbfbf;text-align:right;'>Login | <a href="register.php">Register</a></h4>
    <form action="" method="post">
    <label for='username'>Username:</label> <input id='username' type="text" name="username" />
    <label for='pass'>Password:</label> <input id='pass' type="password" name="password" />
    <input type="submit" value="Login" />
    </form>
    LoginForm;
    }
    
    if ($_GET['debugmode']=="true") {  //Little debug thing I put in in case something goes wrong, simple enter index.php?debugmode=true and it will echo out all the stored cookies, but remember the password will be something weird like b22871b17gvc3uhfudn081nffj71h0, because it is hashed.
    print_r($_COOKIE);
    }
    mysql_close($con); //close the database connection
    ?>
    
    PHP:
    Thanks! Much appreciated :)

    EDIT - The script works, because the script goes before anything else on the page (it has header calls).
     
    Jaxo, Nov 13, 2010 IP
  2. tnd8

    tnd8 Peon

    Messages:
    18
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #2
    some idea ^__^

    1. prevent flood login on some way like: captcha, secure id or check referer.

    2. i don't think saving password hash on cookie i a good idea :)

    3. when client do not accept cookie ;), then ... ???

    good luck ^__^
     
    tnd8, Nov 14, 2010 IP
  3. Jaxo

    Jaxo Peon

    Messages:
    33
    Likes Received:
    0
    Best Answers:
    1
    Trophy Points:
    0
    #3
    Thanks for your reply, tnd8!

    However, don't many login scripts use cookies? How else would you 'remember' somebody. By using their IP address, but that would only work if they are on a static network.
     
    Jaxo, Nov 14, 2010 IP
  4. tnd8

    tnd8 Peon

    Messages:
    18
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #4
    you can use session, database or a mix solution :)
     
    tnd8, Nov 14, 2010 IP
  5. Jaxo

    Jaxo Peon

    Messages:
    33
    Likes Received:
    0
    Best Answers:
    1
    Trophy Points:
    0
    #5
    Sessions would delete themselves, which would be no good if the user closed the browser. Databases - maybe, but I don't really want to store a simple 'true' 'false' variable in a table, but it is definitely possible.
     
    Jaxo, Nov 14, 2010 IP
  6. Dreads

    Dreads Well-Known Member

    Messages:
    1,884
    Likes Received:
    24
    Best Answers:
    0
    Trophy Points:
    150
    #6
    I would add a salt with the password.
    Overall how long have you been doing PHP? (Just curious)
     
    Dreads, Nov 14, 2010 IP
  7. Jaxo

    Jaxo Peon

    Messages:
    33
    Likes Received:
    0
    Best Answers:
    1
    Trophy Points:
    0
    #7
    About a year, why? Does it show? :\

    By the way I'm 14 years old. Never took any real programming school courses.
     
    Jaxo, Nov 15, 2010 IP