yoshida Posted June 28, 2006 Share Posted June 28, 2006 Hey.I've been building this login script (adapted one from a tutorial to get it all in one file), here it is. if (isset($_POST['akkoord'])) { $logn=$_POST['logn']; $logp=$_POST['logp']; mysql_connect('localhost',$user,$password); mysql_select_db($database) or die( "Unable to select database"); $query = "SELECT * FROM users WHERE unam = '$logn' AND pwrd = '$logp'"; $result=mysql_query($query); $num=mysql_num_rows($result); mysql_close(); if ($num == '1') { $logid = '1'; $_SESSION['logid']=$logid; echo "You are logged on. <a href=index.php>HOME</a>"; } else { echo "Sorry, you're not logged on. Please try again.."; } } else { echo "<form action=login.php method=post>"; echo "<b>Gebruikersnaam<br><input type=password name=logn><br>Wachtwoord</b><br><input type=text name=logp><br>"; echo "<input type=submit name=akkoord value=akkoord>"; } What this does, basically, is check wether you clicked 'submit' (akkoord). If you didn't do it yet, it'll show you a form where you can enter your username and password. When you click submit the script will reload and check the database for a user with that password. When that's the case (mysql_num_rows=$result, $result being 1) a value will be loaded into a session.This is all incredibly unsafe ofcourse. People can hack it by just reading the script and 'manufacture' a login.Does anyone know a safer way? Any recommendations?(can't wait to show you guys my eggshell script, and a working example... Link to comment Share on other sites More sharing options...
justsomeguy Posted June 28, 2006 Share Posted June 28, 2006 It's not that insecure, they can't read your PHP code. The only thing that makes it insecure is that someone could write SQL code into the password field and log in as anyone they want. You should escape the values in the SQL query:$query = "SELECT * FROM users WHERE unam = '" . mysql_real_escape_string($logn) . "' AND pwrd = '" . mysql_real_escape_string($logp) . "'";You also aren't keeping track of who is logged in. It might be more useful to store the login name in the session instead of just a value that tells whether or not they logged in. Link to comment Share on other sites More sharing options...
reportingsjr Posted June 28, 2006 Share Posted June 28, 2006 or you cant just do: SELECT * FROM users WHERE unam = ' PASSWORD($logn) ' AND pwrd = ' PASSWORD($logp) '; sorry about it being in mysql format, wanted to try out the bbcode =] Link to comment Share on other sites More sharing options...
justsomeguy Posted June 28, 2006 Share Posted June 28, 2006 I guess you can do that, if you store accounts encrypted. But you probably won't be able to move that code to another database or maybe even an older version, if that's a concern. Link to comment Share on other sites More sharing options...
yoshida Posted June 29, 2006 Author Share Posted June 29, 2006 Thank you very much.It's 'just' going to lock the content manager for my website, used by a few moderators. So if no one sees there is one, no one is trying to use it without logging in (at least that's my guess). Link to comment Share on other sites More sharing options...
MetaLuna Posted June 30, 2006 Share Posted June 30, 2006 You also aren't keeping track of who is logged in.Hey, how would one do that? I wanted to add a "Currently Logged In" feature to my website, and I have no clue where to begin. Link to comment Share on other sites More sharing options...
yoshida Posted June 30, 2006 Author Share Posted June 30, 2006 I guess letting the login script change the status from zero to one would be a good start... but that would require every user to log off before closing the browser window.(select * from users where login='1' order by 'logintime' asc) or somethin like that Link to comment Share on other sites More sharing options...
MetaLuna Posted June 30, 2006 Share Posted June 30, 2006 I guess letting the login script change the status from zero to one would be a good start... but that would require every user to log off before closing the browser window.(select * from users where login='1' order by 'logintime' asc) or somethin like that<{POST_SNAPBACK}> Yeah, and not only that, but I have it set to accept two week long cookies. So that might cause a problem. It would have to be based on who has a session open. Can you do that? Link to comment Share on other sites More sharing options...
yoshida Posted July 1, 2006 Author Share Posted July 1, 2006 Nope, sorry. I hate cookies.As I said earlier/somewhere else I just use a login script to hide a content manager. The best I can do is create a logfile (if that) to keep track of who changed what when. Beyond that I'm lost.Shouldn't be too hard to figure it out tho... as long as you keep in mind what it should do and what in/outputs are available. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now