Jump to content

login script


yoshida
 Share

Recommended Posts

Hey.I've been building this login script (adapted one from a tutorial to get it all in one file), here it is.

	if (isset($_POST['akkoord'])) {  $logn=$_POST['logn'];  $logp=$_POST['logp'];    mysql_connect('localhost',$user,$password);  mysql_select_db($database) or die( "Unable to select database");    $query = "SELECT * FROM users WHERE unam = '$logn' AND pwrd = '$logp'";  $result=mysql_query($query);  $num=mysql_num_rows($result);    mysql_close();      if ($num == '1') { 	 $logid = '1'; 	 $_SESSION['logid']=$logid; 	 echo "You are logged on. <a href=index.php>HOME</a>"; 	   }  else { 	 echo "Sorry, you're not logged on. Please try again..";  }	}	else {  echo "<form action=login.php method=post>";  echo "<b>Gebruikersnaam<br><input type=password name=logn><br>Wachtwoord</b><br><input type=text name=logp><br>";  echo "<input type=submit name=akkoord value=akkoord>";	}

What this does, basically, is check wether you clicked 'submit' (akkoord). If you didn't do it yet, it'll show you a form where you can enter your username and password. When you click submit the script will reload and check the database for a user with that password. When that's the case (mysql_num_rows=$result, $result being 1) a value will be loaded into a session.This is all incredibly unsafe ofcourse. People can hack it by just reading the script and 'manufacture' a login.Does anyone know a safer way? Any recommendations?(can't wait to show you guys my eggshell script, and a working example... :)

Link to comment
Share on other sites

It's not that insecure, they can't read your PHP code. The only thing that makes it insecure is that someone could write SQL code into the password field and log in as anyone they want. You should escape the values in the SQL query:$query = "SELECT * FROM users WHERE unam = '" . mysql_real_escape_string($logn) . "' AND pwrd = '" . mysql_real_escape_string($logp) . "'";You also aren't keeping track of who is logged in. It might be more useful to store the login name in the session instead of just a value that tells whether or not they logged in.

Link to comment
Share on other sites

or you cant just do:

SELECT * FROM users WHERE unam = ' PASSWORD($logn)  ' AND pwrd = ' PASSWORD($logp) ';

sorry about it being in mysql format, wanted to try out the bbcode =]

Link to comment
Share on other sites

Thank you very much.It's 'just' going to lock the content manager for my website, used by a few moderators. So if no one sees there is one, no one is trying to use it without logging in (at least that's my guess).

Link to comment
Share on other sites

I guess letting the login script change the status from zero to one would be a good start... but that would require every user to log off before closing the browser window.(select * from users where login='1' order by 'logintime' asc) or somethin like that

Link to comment
Share on other sites

I guess letting the login script change the status from zero to one would be a good start... but that would require every user to log off before closing the browser window.(select * from users where login='1' order by 'logintime' asc) or somethin like that

Yeah, and not only that, but I have it set to accept two week long cookies. So that might cause a problem. It would have to be based on who has a session open. Can you do that?
Link to comment
Share on other sites

Nope, sorry. I hate cookies.As I said earlier/somewhere else I just use a login script to hide a content manager. The best I can do is create a logfile (if that) to keep track of who changed what when. Beyond that I'm lost.Shouldn't be too hard to figure it out tho... as long as you keep in mind what it should do and what in/outputs are available.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...