I am making a simple password script. I have a login page that asks the user for a login and a password. It sends the two values to the following application via post (instead of get). Here is the application:
-
<?php
-
$login = $_POST['login'];
-
$pass = $_POST['password'];
-
-
$tlogin = "Xavier";
-
$tpass = "Anon537";
-
$authorize=false;
-
if($login==$tlogin&&$pass==$tpass) {
-
$authorize=true;
-
}
-
else {
-
$authorize=false;
-
}
-
?>
-
Is this a secure procedure? Thanks for your help.
You are comparing $login to $tlogin which in normal scripts you would get a variable from a sql database with a query..I have an example of what one would look like:
[php]
mysql_query("select clientdata.name from clients left join clientdata on clientdata.clientid=clients.clientid where clients.username like '$username' and clients.password='$md5p'")
[/php]
A way to secure this would be to encrypt the password if it's being passed to another page and compare it to a md5 hash in the data base to the string you get from $_POST['login'] then you can add if ($authorized) { code } to be granted access to the member area.
To secure $_POST data you can make a simple function to check it before passing it to mysql. If you need an example of it I can post it.
If you don't like that way I mention above then I would suggest this:
[php]
<?php
//Remove slashes
$login = stripslashes($_POST['login']);
//Encrypt to md5 hash alternatively you can use hash(md5, $pass)
$pass = md5($_POST['password']);
$tlogin = "Xavier";
$tpass = md5(Anon537);
if ($tlogin == $login && $tpass == $pass) {
$authorize = true;
}
if ($authorize) {
//Code here
echo("hi");
}
else {
$authorize = false;
}
?>
[/php]