Jump to content

Secure Php Login Script


Recommended Posts

I've been reading a couple of php login scripts. It seems like it's really easy to create security holes. I found this one (http://www.mtdev.com/2002/07/creating-a-se...hp-login-script) which seems pretty secure. I'm trying to implement it and it's pretty complex. I already have 2 classes in my application and it complicates things. I'm kinda new to classes as well. What kind of script do you use for secure login/session/cookies?

Link to post
Share on other sites
I've been reading a couple of php login scripts. It seems like it's really easy to create security holes. I found this one (http://www.mtdev.com/2002/07/creating-a-se...hp-login-script) which seems pretty secure. I'm trying to implement it and it's pretty complex. I already have 2 classes in my application and it complicates things. I'm kinda new to classes as well. What kind of script do you use for secure login/session/cookies?
heres a login by justsomeguy clickand for security im not seeing any but i could be wrong. try these
mysql_real_escape_string()andstripslashes()

stripslashes is Un-quotes a quoted string. for more info go to hereand mysql_real_escape_string calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a. for more info go to heremainly used for the mysql update and insert.

Link to post
Share on other sites

Here's the session class I've been using lately:

<?phpclass tc_lms_session{  public $userid = 0;  public $username = '';  public $fullname = '';  private $password = '';  public $userdata = false;  public $error = '';  public $error_field = '';  public $admin = false;  public $data = false;  function __construct($u = '', $p = '')  {    session_start();    if (isset($_SESSION['userid']))    {      $this->userid = $_SESSION['userid'];      $this->userdata = $_SESSION['userdata'];      $this->username = $this->userdata['username'];      $this->fullname = $this->userdata['fname'] . ' ' . $this->userdata['lname'];      $this->admin = $this->userdata['admin'];      if (isset($_SESSION['data']))        $this->data = $_SESSION['data'];      else        $this->data = array();    }    if ($u != '')    {      $this->username = $u;      $this->password = $p;      $this->login();    }  }  function login($u = '', $p = '')  {    global $db;    if ($u != '')    {      $this->username = $u;      $this->password = $p;    }    $db->sql("SELECT * FROM users WHERE username = %s");    $db->add_param($this->username);    $result = $db->select();    if (!$result)    {      $this->error_field = 'username';      $this->error = 'The username was not found.';      return false;    }    if ($this->password != $result[0]['password'])    {      $this->error_field = 'password';      $this->error = 'The password was not correct.';      return false;    }    if ($result[0]['active'] == 0)    {      $this->error_field = 'username';      $this->error = 'The user account is not active.';      return false;    }    $now = time();    $db->update('users', array('last_login' => $now, 'last_ip' => $_SERVER['REMOTE_ADDR']), "id={$result[0]['id']}");    $result[0]['last_login'] = $now;    $result[0]['last_ip'] = $_SERVER['REMOTE_ADDR'];    $this->userid = $result[0]['id'];    $this->fullname = $result[0]['fname'] . ' ' . $result[0]['lname'];    $this->userdata = $result[0];    $this->admin = $result[0]['admin'];    $this->error = '';    $this->error_field = '';    $_SESSION['userid'] = $this->userid;    $_SESSION['userdata'] = $this->userdata;    if (isset($_SESSION['data']))      $this->data = $_SESSION['data'];    else      $_SESSION['data'] = $this->data = array();    return true;  }  function logout()  {    $this->userid = 0;    $this->userdata = false;    $this->admin = false;    if (isset($_SESSION['data'])) unset($_SESSION['data']);    if (isset($_SESSION['userid'])) unset($_SESSION['userid']);    if (isset($_SESSION['userdata'])) unset($_SESSION['userdata']);  }    function update($data)  {    foreach ($data as $k => $v)    {      if (isset($this->$k))        $this->$k = $v;      if (isset($this->userdata[$k]))        $this->userdata[$k] = $v;    }    $this->fullname = $this->userdata['fname'] . ' ' . $this->userdata['lname'];    $_SESSION['userdata'] = $this->userdata;  }    function set_user($id)  {    global $db;        unset($_SESSION['userid']);    unset($_SESSION['userdata']);    $this->userid = $id;    $db->sql("SELECT * FROM users WHERE id = %d");    $db->add_param($id, false);    $result = $db->select();    if (!$result)    {      $this->error_field = 'username';      $this->error = 'The username was not found.';      return false;    }    if ($result[0]['active'] == 0)    {      $this->error_field = 'username';      $this->error = 'The user account is not active.';      return false;    }    $this->userid = $result[0]['id'];    $this->fullname = $result[0]['fname'] . ' ' . $result[0]['lname'];    $this->userdata = $result[0];    $this->admin = $result[0]['admin'];    $this->error = '';    $this->error_field = '';    $_SESSION['userid'] = $this->userid;    $_SESSION['userdata'] = $this->userdata;    return true;  }    function set_val($name, $val)  {    $_SESSION['data'][$name] = $this->data[$name] = $val;  }    function get_val($name)  {      return (isset($this->data[$name]) ? $this->data[$name] : '');  }    function redirect($url)  {    if (strpos($url, '?') === false)      $url .= '?';    else      $url .= '&';    $url .= SID;    session_write_close();    header('Location: ' . $url);    exit();  }}?>

You'll need to edit some things in order to use that, mostly the login and set_user methods, to do whatever you need to do during login. I've also got that using my database class, which you can replace with whatever other database code you want to use to do that part of it. I can give you the database class I'm using if you want to use that also.The error and error_field properties hold the error message and which field it applies to. I use the error_field to know which field to highlight if an error happened (error_field corresponds to the ID of the form field). The data array holds all of the other session data you want to use, and the set_val and get_val methods are what uses that.Example:

<?php# create session object$sess = new tc_lms_session();# do login$success = $sess->login($_POST['username'], sha1($_POST['password']);# check for errorsif (!$success){  $error_msg = $sess->error;  $error_field = $sess->error_field;}# set and return arbitrary data$sess->set_val('some session data', 'some value');echo $sess->get_val('some_session_data');# update the user info$new_data = array(  'fname' => 'Joe',  'lname' => 'Smith');$sess->update($new_data);# redirect and preserve the session$sess->redirect('home.php');# do logout$sess->logout();?>

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...