guitar idiot Posted November 10, 2007 Share Posted November 10, 2007 <?phpsession_start(); if (isset($_GET ['logout'])) { $_SESSION = array(); if ($_COOKIE[session_name()]) { setcookie(session_name(), '', time()-42000, '/'); } session_destroy(); header('Location: index.php'); } $db_host = 'HIDDEN FOR THREAD'; $db_user = 'HIDDEN FOR THREAD'; $db_pass =''; $db_db = 'user'; if (isset($_POST['username'])) { $db_link = mysql_connect($db_host, $db_user, $db_pass) or die('MySQL Connection Error:' .mysql_error()); mysql_select_db($db_db) or die('Error'); $username = mysql_real_escape_string($_POST['username']); $password = mysql_real_escape_string($_POST['password']); $result = mysql_query("SELECT username, password FROM user WHERE username = '$username' AND password = '$password ' "); $query_row=mysql_fetch_array($result);$user = ($query_row[username]);$pass = ($query_row[password]);if($username=$user and $password=$pass) {$_SESSION['username'] = $username;echo 'Login Successful';} else {echo ' NOOO';}mysql_close($db_link);}?><html><head><title>Login</title></head> <body> <?php if(isset($_SESSION['username'])) { ?> You are now logged in <br /> <a href="?logout=1">Logout</a> <?php } else { ?> <form action="" method="post"> Username: <input type="text" name="username"> <br /><br /> Password: <input type="password" name="password"> <br /> <input type="submit" value="Login"><br /> <a href="register.php">New User</a> <?php } ?> <br /> <?php echo $_SESSION['error']; unset($_SESSION['error']);?> </form> </body></html>This is a simple user name password login, is there any more code I can make so that it has a good defense against hackers and whatnot? Link to comment Share on other sites More sharing options...
boen_robot Posted November 10, 2007 Share Posted November 10, 2007 I think the if($username=$user and $password=$pass) { should instead be if($username===$user and $password===$pass) { as the former just assigns $user to $username, and thus always evaluates to true (I once had this problem too).I don't see why you need the brackets in $user = ($query_row[username]);$pass = ($query_row[password]); You may as well just have $user = $query_row['username'];$pass = $query_row['password']; (note also the single quotes added so that to ensure the array fetches the string from the array, not a constant)As an additional security layer, you may want to hash passwords and compare the hashes instead of the inputted password by replacing $password = mysql_real_escape_string($_POST['password']); with $password = md5(mysql_real_escape_string($_POST['password'])); in which case however the user's password must be created as a hash from the start, and that's done in the registration form, not the login form. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.