$I need to make an administrator-only area for a website, so I'll need a login script to do so. Because only a pair of username & password is needed, I don't want to use MySQL, and I found this script (I have modified it to so it can be understood easier). <?php session_start(); session_register("login_session"); $usr = 'jack123'; $pwd = 'j0h4h7'; if ($_POST["Username"]==$usr && $_POST["Password"]==$pwd) { $_SESSION["login_session"] = true; header("Location: admin_area.php"); } ?> PHP: But I'm a newbie and I'm not sure if this script is secure enough. Any suggestion will be appreciated.
Assuming you have sufficient checking in admin_area.php, that should suffice. (Although you've used incorrect apostrophes on line 3.) And, change the password now, not so secure if you post it.
Even for something as simple as this, it is a good idea to keep code and any constant parameters separate... so I will suggest to do the following: Create a new php file called for example admin.php and put the following in it: define('ADMIN_USER_ID', 'jack123'); define('ADMIN_PASS', 'j0h4h7'); PHP: Replace your code with the following: include('admin.php'); session_start(); session_register("login_session"); if ($_POST["Username"]==ADMIN_USER_ID && $_POST["Password"]==ADMIN_PASS) { $_SESSION["login_session"] = true; header("Location: admin_area.php"); } ?> PHP:
In the name Of the Allah Hi, For security convort password to `md5` and when you ask password in script use md5. In this, only you have the password, and if a person look your script can not see your password.
This is just the login script. It has nothing with security, i mean if you want it to be secure you could try to password your login script file with a htaccess password file (htpasswd if i remember correctly). A section of your website will become secure only if you include a secure.php file at the start of every php file which contains important data or which contains administrative actions over that section. The secure.php file should analyse each time if the user is logged in and if it is correctly logged in. And yes, as hosseintdk775 told you, you should definitely encrypt your password in a strongest possible way (something like md5(md5(base64_encode(sha1('password'))))
@forkaya: Thanks, but they're separated already. As I said, "I have modified the code to so it can be understood easier". @hosseintdk775: That's a great idea! I'll do so. @SEOAnalytic.com: May I ask what did you mean? Did you mean then login script should be protected so only other *.php files on the server can call it?
I don't know why just that it is in the process of being remove and PHP.net says "highly discouraged from use". The other way is easier anyways.
Essalam Alykom, Hi Friends, So I advice you to use .htaccess file to protect admin dir and put all file for administrator in this protected dir , this is the secure way , if you use you code to protect file some programmer can acces to your files , I means admin file , by getting full path to files or by changing sample cokies entry if you use cokies... if you wanna no more information about .htaccess protection we're here Regards Mohammed al Amin.
1. No Cookie is used here. 2. But, what can they do even if they are able to get the path of files? The files should be able to open only when users have logged in, right? (I only put the login script here, Session Checker is not included.)