login script

[yoshida]

Hey.I've been building this login script (adapted one from a tutorial to get it all in one file), here it is.

	if (isset($_POST['akkoord'])) {  $logn=$_POST['logn'];  $logp=$_POST['logp'];    mysql_connect('localhost',$user,$password);  mysql_select_db($database) or die( "Unable to select database");    $query = "SELECT * FROM users WHERE unam = '$logn' AND pwrd = '$logp'";  $result=mysql_query($query);  $num=mysql_num_rows($result);    mysql_close();      if ($num == '1') { 	 $logid = '1'; 	 $_SESSION['logid']=$logid; 	 echo "You are logged on. <a href=index.php>HOME</a>"; 	   }  else { 	 echo "Sorry, you're not logged on. Please try again..";  }	}	else {  echo "<form action=login.php method=post>";  echo "<b>Gebruikersnaam<br><input type=password name=logn><br>Wachtwoord</b><br><input type=text name=logp><br>";  echo "<input type=submit name=akkoord value=akkoord>";	}

What this does, basically, is check wether you clicked 'submit' (akkoord). If you didn't do it yet, it'll show you a form where you can enter your username and password. When you click submit the script will reload and check the database for a user with that password. When that's the case (mysql_num_rows=$result, $result being 1) a value will be loaded into a session.This is all incredibly unsafe ofcourse. People can hack it by just reading the script and 'manufacture' a login.Does anyone know a safer way? Any recommendations?(can't wait to show you guys my eggshell script, and a working example...

[justsomeguy]

It's not that insecure, they can't read your PHP code. The only thing that makes it insecure is that someone could write SQL code into the password field and log in as anyone they want. You should escape the values in the SQL query:$query = "SELECT * FROM users WHERE unam = '" . mysql_real_escape_string($logn) . "' AND pwrd = '" . mysql_real_escape_string($logp) . "'";You also aren't keeping track of who is logged in. It might be more useful to store the login name in the session instead of just a value that tells whether or not they logged in.

[reportingsjr]

or you cant just do:

SELECT * FROM users WHERE unam = ' PASSWORD($logn)  ' AND pwrd = ' PASSWORD($logp) ';

sorry about it being in mysql format, wanted to try out the bbcode =]

[justsomeguy]

I guess you can do that, if you store accounts encrypted. But you probably won't be able to move that code to another database or maybe even an older version, if that's a concern.

[yoshida]

Thank you very much.It's 'just' going to lock the content manager for my website, used by a few moderators. So if no one sees there is one, no one is trying to use it without logging in (at least that's my guess).

[MetaLuna]

You also aren't keeping track of who is logged in.

Hey, how would one do that? I wanted to add a "Currently Logged In" feature to my website, and I have no clue where to begin.

[yoshida]

I guess letting the login script change the status from zero to one would be a good start... but that would require every user to log off before closing the browser window.(select * from users where login='1' order by 'logintime' asc) or somethin like that

[MetaLuna]

I guess letting the login script change the status from zero to one would be a good start... but that would require every user to log off before closing the browser window.(select * from users where login='1' order by 'logintime' asc) or somethin like that

<{POST_SNAPBACK}>

Yeah, and not only that, but I have it set to accept two week long cookies. So that might cause a problem. It would have to be based on who has a session open. Can you do that?

[yoshida]

Nope, sorry. I hate cookies.As I said earlier/somewhere else I just use a login script to hide a content manager. The best I can do is create a logfile (if that) to keep track of who changed what when. Beyond that I'm lost.Shouldn't be too hard to figure it out tho... as long as you keep in mind what it should do and what in/outputs are available.