Hello, This is my login: <?php if(isset($_POST['email']) && isset($_POST['password'])){ // Verify $email = mysql_escape_string($_POST['email']); $password = md5($_POST['password']); $gUser = mysql_query("SELECT * FROM users WHERE email='".$email."' AND password='".$password."' LIMIT 1") or die(mysql_error()); $verify = mysql_num_rows($gUser); if($verify > 0){ $row = mysql_fetch_array($gUser); $_SESSION['Username'] = $email; $_SESSION['LoggedIn'] = 1; echo '<h2>Login Complete</h2><br><a href="user.php">Control panel</a><br /><br />'; }else{ echo '<h2>Login Failed</h2> <p>Sorry your login details are incorrect.<br /><br />'; } }else{ } ?> PHP: and on the other pages i use this to check if the user is logged in <? if(!empty($_SESSION['LoggedIn']) && !empty($_SESSION['Username'])) { ?> <?=$_SESSION['Username']?> <? }else{?> Login <?php } ?> PHP:
Here are some issues: - No brute force protection - No salt for the password, just md5 which can easily be reverse engineered with a dictionary (if an attacker gets your db) - No session hijacking/fixation protection You could also add a client side javascript to md5 the password before it's sent to the server, just for protection against http sniffing.
If you're truly worried about the security, check out PHP-IDS. http://php-ids.org/ This is a very impressive project. I've used it with a couple of Web stores for added security. Cheers, Jeff Walters JJW Web Design
it's not related to his problem, though. PHP-IDS is supposed to protect from XSS & sql injections. I would also consider something else for the password storing like phpass (or if you only use php5 you can use something like whirlpool which is easier on the server)
I wrote an article about this a while back. It applies to PHP data sanitation in general. Anytime you need to communicate with your database, you should always validate the data-type matches what was expected and clean the data for sql injection prevention. There are special rules that apply when it comes to username/password combinations. Unfortunately, the common hashes (sha1 and MD5) have both been cracked/reversed engineered at this point, so I agree the use of a unique salt for each user/password combination is a huge benefit. Also, using an include with your login verification process is going to prove helpful, this way you can reuse the same code. Just make sure you exit after rendering the login information as a simple redirect can be cancelled by a proxy or advanced browser tools. <?php if($password_success) { echo("Welcome back User!"); } else { header("Location", "login_page.php"); exit(); } ?> Code (markup): Good luck!!