PHP/MySQL login script strength. Good enough?

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • stewy
    New Member
    • Nov 2006
    • 5
    #1

    PHP/MySQL login script strength. Good enough?

    Hi everyone.
    I had to build a login script to authenticate users because i couldn't find one out there that would tailor my needs. It works great, but i just want to make sure it looks strong enough.

    Pretty much, once a user is authenticated, it pulls further data based on the user that will be used for further security within the webpage (like a series of if statements). Depending on a persons department, security level, posistion etc, certain access or even menus will be available to the user. Like i said, it works wonderfully, but just need to ensure the code is good:

    [PHP]
    <?php
    session_start() ;
    if ($_SESSION["logged_in"] == "false" OR $_SESSION["logged_in"] == "") {

    $db = mysql_connect(' localhost', 'user', 'pass') or die("Couldn't connect to the database.");
    mysql_select_db ('networks') or die("Couldn't select the database");

    $_POST['user'] = addslashes($_PO ST['user']);
    $_POST['pass'] = md5($_POST['pass']);

    $result = mysql_query("SE LECT count(id) FROM username WHERE password='$_POS T[pass]' AND UID='$_POST[user]'") or die("Couldn't query the user-database.");
    $num = mysql_result($r esult, 0);

    if (!$num) {
    $_SESSION["logged_in"] = "false";
    } else {
    $_SESSION["logged_in"] = "true";
    $web_user = $_POST[user];
    $web_pass = $_POST[pass];
    $_SESSION["web_user"] = $_POST[user];
    $_SESSION["web_pass"] = $_POST[pass];

    if ($remember_me == "true") {
    $time_expire = time()+5184000;
    setcookie("web_ user", $_SESSION["web_user"], $time_expire);
    setcookie("uid_ save", "true", $time_expire);
    } else {
    setcookie("web_ user", $_SESSION["web_user"], time()-3600);
    setcookie("uid_ save", "true", time()-3600);

    }

    }

    } else {
    $web_user = $_SESSION["web_user"];
    $web_pass = $_SESSION["web_pass"];
    }
    if ($logout == "true") {
    $_SESSION["logged_in"] = "false";
    $web_user = "";
    $web_pass = "";
    $logout = "done";
    }

    if ($_SESSION["logged_in"] == "true") {

    include 'includes/config.inc';
    include 'includes/db.inc';

    $cid = mysql_connect($ host,$usr,$pwd) ;
    $SQL = " SELECT * FROM table WHERE UID = '$web_user' AND web_pass = '$web_pass' ";
    $retid = mysql_db_query( $db, $SQL, $cid);

    while ($row = mysql_fetch_arr ay($retid)) {
    $fname = $row["fname"];
    $position = $row["position"];
    $pname = $row["pname"];
    $email = $row["email"];
    $email_pass = $row["email_pass "];
    $homenum = $row["homenum"];
    $position = $row["position"];
    $position_ab = $row["position_a b"];
    $class = $row["class"];
    $security = $row["security"];

    }

    }

    ?>
    [/PHP]

    I also noticed that i need to change the db.inc to db.php cause anyone surfing to http://site.com/inc/db.inc can see the SQL credentials... any comments on that one? heh.

    Thanks for the help!
    (this place is great!)
    Tags: None
    • stewy
      New Member
      • Nov 2006
      • 5
      #2
      Bump....
      Anyone? LOL

        Comment

        • godrifle
          New Member
          • Nov 2006
          • 6
          #3
          Originally posted by stewy
          Hi everyone.
          I had to build a login script to authenticate users because i couldn't find one out there that would tailor my needs. It works great, but i just want to make sure it looks strong enough.
          It looks good to me. Good to see you're storing password as MD5 hash instead of plain text.

          Originally posted by stewy
          I also noticed that i need to change the db.inc to db.php cause anyone surfing to http://site.com/inc/db.inc can see the SQL credentials... any comments on that one? heh.
          I'd put any file containing credentials outside the web root directory, so that the server simply can't serve it up. For example, if your Apache web root is /var/www/html/, I'd store all my credential includes (or any file that *should* be private) in /var/www/.

            Comment

            • stewy
              New Member
              • Nov 2006
              • 5
              #4
              Thanks for the feedback. Much appreciated!

              As for the credentials, i develop locally on apache, but my company prefers having hosting. Have no access to anything below the http directory :(

              Gonna be renaming some extensions for a little while. Heh.

              Later!

                Comment

                • steven
                  New Member
                  • Sep 2006
                  • 143
                  #5
                  You shouldn't use md5.

                  You should use the crypt function of PHP, with the crypt type set to MD5, if that's what you wish. Using md5 like this makes passwords more easily decryptable. The crypt function is a one way crypt.

                  Here is how I handle sessions and auth.

                  Code:
                  // login and create session
  private function login() {
    $user = $this->db->selectRow("SELECT * FROM users WHERE username = '".getValue('username')."'");
    if ($user && crypt(getValue('passwd'), $user['password']) == $user['password']) {
      unset($user['password']);
      $_SESSION['simple']['user'] = $user;
      header("Location: ".getValue('url'));
    } else {
      unset($user);
      header("Location: ".getValue('url'));
    }
  }
                  Notice how I use the password hash stored in the database as the salt for the checking against the entered one?

                  Check out the crypt function on http://php.net/

                    Comment

                    Previous template Next
                    Working...