Here is my header code <? session_start(); include_once"config.php"; if(isset($_POST['login'])){ $username= trim($_POST['username']); $password = trim($_POST['password']); $passmd = md5($password); if($username == NULL OR $password == NULL){ $final_report.="Please complete both fields"; }else{ $check_user_data = mysql_query("SELECT * FROM `members` WHERE `username` = '$username'") or die(mysql_error()); if(mysql_num_rows($check_user_data) == 0){ $final_report.="This username does not exist"; }else{ $check_user_data = mysql_query("SELECT * FROM `members` WHERE `username`='$username' and `password`='$passmd'") or die(mysql_error()); if(mysql_num_rows($check_user_data) == 0){ $final_report.="User Name / Password Doesnt Match"; }else{ $get_user_data = mysql_fetch_array($check_user_data); if($get_user_data['password'] == md5($password)){ $start_idsess = $_SESSION['username'] = "".$get_user_data['username'].""; $start_passsess = $_SESSION['password'] = "".$get_user_data['password'].""; header("Location: members.php"); }}}}} if(isset($_SESSION['username']) && isset($_SESSION['password'])){ header("Location: members.php"); } ?> <?php include("includes.php"); ?> PHP: And this is header of logged in pages: <?php session_start(); include_once"config.php"; if(!isset($_SESSION['username']) || !isset($_SESSION['password'])){ header("Location: login.php"); } ?> <?php include("includes.php");?> PHP: Problem is some attacker is getting into other users account and harassing. Although he cant change that users password/email. Please suggest how can I prevent the attack. Thank you.
Better formatting = better answers <?php session_start(); include_once "config.php"; if (isset($_POST['login'])) { $username = trim($_POST['username']); $password = trim($_POST['password']); $passmd = md5($password); if ($username == NULL OR $password == NULL) { $final_report .= "Please complete both fields"; } else { $check_user_data = mysql_query("SELECT * FROM `members` WHERE `username` = '$username'") or die(mysql_error()); if (mysql_num_rows($check_user_data) == 0) { $final_report .= "This username does not exist"; } else { $check_user_data = mysql_query("SELECT * FROM `members` WHERE `username`='$username' and `password`='$passmd'") or die(mysql_error()); if (mysql_num_rows($check_user_data) == 0) { $final_report .= "User Name / Password Doesnt Match"; } else { $get_user_data = mysql_fetch_array($check_user_data); if ($get_user_data['password'] == md5($password)) { $start_idsess = $_SESSION['username'] = "" . $get_user_data['username'] . ""; $start_passsess = $_SESSION['password'] = "" . $get_user_data['password'] . ""; header("Location: members.php"); } } } } } if (isset($_SESSION['username']) && isset($_SESSION['password'])) { header("Location: members.php"); } ?> <?php include("includes.php"); ?> PHP: <?php session_start(); include_once "config.php"; if (!isset($_SESSION['username']) || !isset($_SESSION['password'])) { header("Location: login.php"); } ?> <?php include("includes.php"); ?> PHP:
You are not cheking user input, at least escape any bad charactes: $username = mysql_real_escape_string(trim($_POST['username'])); $password = mysql_real_escape_string(trim($_POST['password'])); PHP:
SQL Injection Attack. Look at: $username = trim($_POST['username']); ... $check_user_data = mysql_query("SELECT * FROM `members` WHERE `username` = '$username'") or die(mysql_error()); Code (markup): You are injecting RAW user input ($username) in to an SQL statement. What if the user entered the following username: '; DELETE FROM Members;-- Your SQL code that would be executed would be the following: $check_user_data = mysql_query("SELECT * FROM `members` WHERE `username` = ''; DELETE FROM Members;--'") or die(mysql_error()); Code (markup): Which would wipe out your entire Members table. Personally I would use PDO where you can utilize prepared statements and placeholders.
I create a login session like: $_SESSION['login'] = md5($row['id']); Code (markup): and the header in the logged in page: <?php session_start(); include_once"config.php"; if(!isset($_SESSION['username']) || !isset($_SESSION['password']) || !isset($_SESSION['login'])){ header("Location: login.php"); } ?> <?php include("includes.php");?> Code (markup): It works for me to prevent session stealing. And you should also prevent SQL Injection as NetStar said. Reference: http://phpsec.org/projects/guide/4.html And if I were you I would avoid the GET method at all cost as attacker can easily get your session id straight from the URL.
Thank you verymuch everyone. I will take your suggestions and try. Will let you know the progress. Thank you again.
OP, Google the term "PHP PDO". Read the tutorial and learn it. Here's the tutorial for it in the PHP docs http://php.net/manual/en/book.pdo.php These answers in here are very helpful but they may be a bit old, less secure and not as flexible as using these modern PHP libraries for dealing with MYSQL, although they gave you what you asked for. Also, "cleaning" data manually can either leave room for careless mistakes or tampering with that data in ways you don't want happen. "mysql_real_escape_string" is an old method for this and adds characters to your data (like slashes "\") which you don't want to have to deal with when extracting that data. Not as secure either.