PHP/MySQL login script strength. Good enough?

Hi everyone.
I had to build a login script to authenticate users because i couldn't find one out there that would tailor my needs. It works great, but i just want to make sure it looks strong enough.

Pretty much, once a user is authenticated, it pulls further data based on the user that will be used for further security within the webpage (like a series of if statements). Depending on a persons department, security level, posistion etc, certain access or even menus will be available to the user. Like i said, it works wonderfully, but just need to ensure the code is good:

[PHP]
<?php
session_start();
if ($_SESSION["logged_in"] == "false" OR $_SESSION["logged_in"] == "") {

$db = mysql_connect('localhost', 'user', 'pass') or die("Couldn't connect to the database.");
mysql_select_db('networks') or die("Couldn't select the database");

$_POST['user'] = addslashes($_POST['user']);
$_POST['pass'] = md5($_POST['pass']);

$result = mysql_query("SELECT count(id) FROM username WHERE password='$_POST[pass]' AND UID='$_POST[user]'") or die("Couldn't query the user-database.");
$num = mysql_result($result, 0);

if (!$num) {
$_SESSION["logged_in"] = "false";
} else {
$_SESSION["logged_in"] = "true";
$web_user = $_POST[user];
$web_pass = $_POST[pass];
$_SESSION["web_user"] = $_POST[user];
$_SESSION["web_pass"] = $_POST[pass];

if ($remember_me == "true") {
$time_expire = time()+5184000;
setcookie("web_user", $_SESSION["web_user"], $time_expire);
setcookie("uid_save", "true", $time_expire);
} else {
setcookie("web_user", $_SESSION["web_user"], time()-3600);
setcookie("uid_save", "true", time()-3600);

}

}

} else {
$web_user = $_SESSION["web_user"];
$web_pass = $_SESSION["web_pass"];
}
if ($logout == "true") {
$_SESSION["logged_in"] = "false";
$web_user = "";
$web_pass = "";
$logout = "done";
}

if ($_SESSION["logged_in"] == "true") {

include 'includes/config.inc';
include 'includes/db.inc';

$cid = mysql_connect($host,$usr,$pwd);
$SQL = " SELECT * FROM table WHERE UID = '$web_user' AND web_pass = '$web_pass' ";
$retid = mysql_db_query($db, $SQL, $cid);

while ($row = mysql_fetch_array($retid)) {
$fname = $row["fname"];
$position = $row["position"];
$pname = $row["pname"];
$email = $row["email"];
$email_pass = $row["email_pass"];
$homenum = $row["homenum"];
$position = $row["position"];
$position_ab = $row["position_ab"];
$class = $row["class"];
$security = $row["security"];

}

}

?>
[/PHP]

I also noticed that i need to change the db.inc to db.php cause anyone surfing to http://site.com/inc/db.inc can see the SQL credentials... any comments on that one? heh.

Thanks for the help!
(this place is great!)

Nov 28 '06 #1

Subscribe Post Reply

2080

stewy

Bump....
Anyone? LOL

Nov 29 '06 #2

godrifle

Hi everyone.
I had to build a login script to authenticate users because i couldn't find one out there that would tailor my needs. It works great, but i just want to make sure it looks strong enough.

It looks good to me. Good to see you're storing password as MD5 hash instead of plain text.

I also noticed that i need to change the db.inc to db.php cause anyone surfing to http://site.com/inc/db.inc can see the SQL credentials... any comments on that one? heh.

I'd put any file containing credentials outside the web root directory, so that the server simply can't serve it up. For example, if your Apache web root is /var/www/html/, I'd store all my credential includes (or any file that *should* be private) in /var/www/.

Nov 29 '06 #3

stewy

Thanks for the feedback. Much appreciated!

As for the credentials, i develop locally on apache, but my company prefers having hosting. Have no access to anything below the http directory :(

Gonna be renaming some extensions for a little while. Heh.

Later!

Nov 30 '06 #4

steven

143

100+

You shouldn't use md5.

You should use the crypt function of PHP, with the crypt type set to MD5, if that's what you wish. Using md5 like this makes passwords more easily decryptable. The crypt function is a one way crypt.

Here is how I handle sessions and auth.

Expand|Select|Wrap|Line Numbers

 
// login and create session

  private function login() {

    $user = $this->db->selectRow("SELECT * FROM users WHERE username = '".getValue('username')."'");

    if ($user && crypt(getValue('passwd'), $user['password']) == $user['password']) {

      unset($user['password']);

      $_SESSION['simple']['user'] = $user;

      header("Location: ".getValue('url'));

    } else {

      unset($user);

      header("Location: ".getValue('url'));

    }

  }

Notice how I use the password hash stored in the database as the salt for the checking against the entered one?

Check out the crypt function on http://php.net/

Nov 30 '06 #5

Similar topics

Failed install of DBD::mysql

by: Randell D. | last post by:

Folks, I have installed MySQL v4 (client, server and development rpm's). I've tried and failed to use the recommended mysqladmin to set a root password after the installation (I have another post...

Perl

how do I create a database on linux machine running mysql?

by: MLH | last post by:

I have an sql script file that is supposed to create a set of database tables for me. Supposedly I type the following on my linux box and its all supposed to work... mysql (ENTER) \....

MySQL Database

Non-stop queries coming from ??? XP, MySQL 5.0.15

by: Good Man | last post by:

Hi there I've noticed some very weird things happening with my current MySQL setup on my XP Laptop, a development machine. For a while, I have been trying to get the MySQL cache to work....

MySQL Database

Why are databases created in /var/lib/mysql ???

by: linuxlover992000 | last post by:

I am a newbie in the world of MySQL. In fact I enabled it in my Linux box only because it is required to run WordPress (the blogging software). I was trying to plan ahead and figure out a way to...

MySQL Database

110

MyISAM engine: worst case scenario in case of crash (mysql, O/S,hardware, whatever)

by: alf | last post by:

Hi, is it possible that due to OS crash or mysql itself crash or some e.g. SCSI failure to lose all the data stored in the table (let's say million of 1KB rows). In other words what is the worst...

MySQL Database

sha1() passwd in mysql help... (beginner)

by: sathyashrayan | last post by:

Dear group, For a log-in page I have created a mysql db and user registers with a user name and password. The password field is encrypted with $passwd = sha1($_REQUEST); I insert the...

PHP

PHP - MySQL Login script error

by: bull1099 | last post by:

I designed a simple site which has a login for users to access their account page. When i had my files uploaded on a terrible hosting service site, my website I designed was fully functional. I moved...

PHP

MySQL with Integrated Windows Authentication

by: JamieHowarth0 | last post by:

I have been trying to find a solution to this on the Internet for months. Literally, ages and ages and ages, praying that someone in the open-source community has enough knowledge to put together an...

ASP / Active Server Pages

How to turn on java script in a villaon keypad mobile phone

by: Charles Arthur | last post by:

How do i turn on java script on a villaon, callus and itel keypad mobile phone

Java

Batch import of multiple excel files into the database

by: ryjfgjl | last post by:

If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...

Data Management

Merging data from multiple Excel files

by: ryjfgjl | last post by:

In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...

Data Management

Navigating the Data Structures and Algorithms (DSA)

by: BarryA | last post by:

What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...

Algorithms / Advanced Math

Looking to do Android software development, any suggestions? Is flutter better?

by: nemocccc | last post by:

hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?

General

How to build RAID in BIOS?

by: Hystou | last post by:

There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...

Computer Hardware

What is ONU?

by: marktang | last post by:

ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...

General

Maximizing Business Potential: The Nexus of Website Design and Digital Marketing

by: jinu1996 | last post by:

In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...

Online Marketing

The easy way to turn off automatic updates for Windows 10/11

by: Hystou | last post by:

Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...

Windows Server