Jump to content

Secure Php Login Script

vchris

By vchris
in PHP

Recommended Posts

vchris Dedicated Member

vchris

Posted
Posted

I've been reading a couple of php login scripts. It seems like it's really easy to create security holes. I found this one (http://www.mtdev.com/2002/07/creating-a-se...hp-login-script) which seems pretty secure. I'm trying to implement it and it's pretty complex. I already have 2 classes in my application and it complicates things. I'm kinda new to classes as well. What kind of script do you use for secure login/session/cookies?

Link to comment
Share on other sites
TKW22 Newbie

TKW22

Posted
Posted
I've been reading a couple of php login scripts. It seems like it's really easy to create security holes. I found this one (http://www.mtdev.com/2002/07/creating-a-se...hp-login-script) which seems pretty secure. I'm trying to implement it and it's pretty complex. I already have 2 classes in my application and it complicates things. I'm kinda new to classes as well. What kind of script do you use for secure login/session/cookies?
heres a login by justsomeguy clickand for security im not seeing any but i could be wrong. try these
mysql_real_escape_string()andstripslashes()

stripslashes is Un-quotes a quoted string. for more info go to hereand mysql_real_escape_string calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a. for more info go to heremainly used for the mysql update and insert.

Link to comment
Share on other sites
justsomeguy w3schools Guru

justsomeguy

Posted
Posted

Here's the session class I've been using lately:

<?phpclass tc_lms_session{  public $userid = 0;  public $username = '';  public $fullname = '';  private $password = '';  public $userdata = false;  public $error = '';  public $error_field = '';  public $admin = false;  public $data = false;  function __construct($u = '', $p = '')  {    session_start();    if (isset($_SESSION['userid']))    {      $this->userid = $_SESSION['userid'];      $this->userdata = $_SESSION['userdata'];      $this->username = $this->userdata['username'];      $this->fullname = $this->userdata['fname'] . ' ' . $this->userdata['lname'];      $this->admin = $this->userdata['admin'];      if (isset($_SESSION['data']))        $this->data = $_SESSION['data'];      else        $this->data = array();    }    if ($u != '')    {      $this->username = $u;      $this->password = $p;      $this->login();    }  }  function login($u = '', $p = '')  {    global $db;    if ($u != '')    {      $this->username = $u;      $this->password = $p;    }    $db->sql("SELECT * FROM users WHERE username = %s");    $db->add_param($this->username);    $result = $db->select();    if (!$result)    {      $this->error_field = 'username';      $this->error = 'The username was not found.';      return false;    }    if ($this->password != $result[0]['password'])    {      $this->error_field = 'password';      $this->error = 'The password was not correct.';      return false;    }    if ($result[0]['active'] == 0)    {      $this->error_field = 'username';      $this->error = 'The user account is not active.';      return false;    }    $now = time();    $db->update('users', array('last_login' => $now, 'last_ip' => $_SERVER['REMOTE_ADDR']), "id={$result[0]['id']}");    $result[0]['last_login'] = $now;    $result[0]['last_ip'] = $_SERVER['REMOTE_ADDR'];    $this->userid = $result[0]['id'];    $this->fullname = $result[0]['fname'] . ' ' . $result[0]['lname'];    $this->userdata = $result[0];    $this->admin = $result[0]['admin'];    $this->error = '';    $this->error_field = '';    $_SESSION['userid'] = $this->userid;    $_SESSION['userdata'] = $this->userdata;    if (isset($_SESSION['data']))      $this->data = $_SESSION['data'];    else      $_SESSION['data'] = $this->data = array();    return true;  }  function logout()  {    $this->userid = 0;    $this->userdata = false;    $this->admin = false;    if (isset($_SESSION['data'])) unset($_SESSION['data']);    if (isset($_SESSION['userid'])) unset($_SESSION['userid']);    if (isset($_SESSION['userdata'])) unset($_SESSION['userdata']);  }    function update($data)  {    foreach ($data as $k => $v)    {      if (isset($this->$k))        $this->$k = $v;      if (isset($this->userdata[$k]))        $this->userdata[$k] = $v;    }    $this->fullname = $this->userdata['fname'] . ' ' . $this->userdata['lname'];    $_SESSION['userdata'] = $this->userdata;  }    function set_user($id)  {    global $db;        unset($_SESSION['userid']);    unset($_SESSION['userdata']);    $this->userid = $id;    $db->sql("SELECT * FROM users WHERE id = %d");    $db->add_param($id, false);    $result = $db->select();    if (!$result)    {      $this->error_field = 'username';      $this->error = 'The username was not found.';      return false;    }    if ($result[0]['active'] == 0)    {      $this->error_field = 'username';      $this->error = 'The user account is not active.';      return false;    }    $this->userid = $result[0]['id'];    $this->fullname = $result[0]['fname'] . ' ' . $result[0]['lname'];    $this->userdata = $result[0];    $this->admin = $result[0]['admin'];    $this->error = '';    $this->error_field = '';    $_SESSION['userid'] = $this->userid;    $_SESSION['userdata'] = $this->userdata;    return true;  }    function set_val($name, $val)  {    $_SESSION['data'][$name] = $this->data[$name] = $val;  }    function get_val($name)  {      return (isset($this->data[$name]) ? $this->data[$name] : '');  }    function redirect($url)  {    if (strpos($url, '?') === false)      $url .= '?';    else      $url .= '&';    $url .= SID;    session_write_close();    header('Location: ' . $url);    exit();  }}?>

You'll need to edit some things in order to use that, mostly the login and set_user methods, to do whatever you need to do during login. I've also got that using my database class, which you can replace with whatever other database code you want to use to do that part of it. I can give you the database class I'm using if you want to use that also.The error and error_field properties hold the error message and which field it applies to. I use the error_field to know which field to highlight if an error happened (error_field corresponds to the ID of the form field). The data array holds all of the other session data you want to use, and the set_val and get_val methods are what uses that.Example:

<?php# create session object$sess = new tc_lms_session();# do login$success = $sess->login($_POST['username'], sha1($_POST['password']);# check for errorsif (!$success){  $error_msg = $sess->error;  $error_field = $sess->error_field;}# set and return arbitrary data$sess->set_val('some session data', 'some value');echo $sess->get_val('some_session_data');# update the user info$new_data = array(  'fname' => 'Joe',  'lname' => 'Smith');$sess->update($new_data);# redirect and preserve the session$sess->redirect('home.php');# do logout$sess->logout();?>

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...