TJ111
06-20-2007, 03:44 PM
I'm pretty new to PHP, and just wrote a pretty basic login script using sessions. I just wanted feedback from the community that is savvy with this kind of thing to see what recommendations they have for it. The site needs to be secure, but not fort knox. Anyway here it is.
The login script (should I use real_escape_string for the password even though it gets encrypted?):
##The headers are disabled for testing currently
<?php
session_start ();
$user = mysql_real_escape_string($_POST['username']);
$pass = md5($_POST['password']);
$dbDatabase='login';
$dbUser='**********';
$dbPass='**********';
$dbHost='localhost';
$db = mysql_connect("$dbHost","$dbUser", "$dbPass") or die ("Couldn't connect to Database.");
mysql_select_db($dbDatabase, $db) or die ("Couldn't find the database.");
$dbquery="SELECT ID, level FROM users WHERE username='$user' AND password='$pass'";
$result=mysql_query($dbquery, $db);
$rowCheck = mysql_num_rows($result);
if($rowCheck == 1){
$row = mysql_fetch_array($result);
$_SESSION['level']=$row['level'];
$_SESSION['user_id'] = $row['ID'];
$_SESSION['logged_in']=TRUE;
header("Location:success.php");
exit;
}
else {
if (mysql_error()==TRUE) {
echo mysql_error();
##header('Location:index.php');
}
else {
$error = "Login Failed";
echo $error;
##header('Location:index.php');
}
}
?>
The file at the top of each secure page:
<?php
$levels = '0';
include('check.php');
IF (!$access || !$_SESSION)
{
echo "No access";
die();
##header('Location:index.php');
}
include('header.php');
?>
The check.php script:
<?php
session_start();
IF ($_SESSION['logged_in'] = TRUE)
{
IF ($_SESSION['logged_in'] && $_SESSION['level']>= $levels)
{
$access = TRUE;
}
ELSE
{
$error = "You do not have access to view this page <br>";
echo $error;
##header ('Location:/go');
die();
}
}
ELSE
{
$error = "You must log in to see this page.";
echo $error;
##header ('Location:/go');
die();
}
?>
And just for some redundancy I have this included in the header file:
<?php
IF ($access = TRUE)
{
##Continue page load
}
ELSE
{
header('Location:/go/index.php');
}
?>
How secure is this script? Does it have any vulnerablities? Like I said it's my first real script and I just want feedback on it. Thanks alot.
The login script (should I use real_escape_string for the password even though it gets encrypted?):
##The headers are disabled for testing currently
<?php
session_start ();
$user = mysql_real_escape_string($_POST['username']);
$pass = md5($_POST['password']);
$dbDatabase='login';
$dbUser='**********';
$dbPass='**********';
$dbHost='localhost';
$db = mysql_connect("$dbHost","$dbUser", "$dbPass") or die ("Couldn't connect to Database.");
mysql_select_db($dbDatabase, $db) or die ("Couldn't find the database.");
$dbquery="SELECT ID, level FROM users WHERE username='$user' AND password='$pass'";
$result=mysql_query($dbquery, $db);
$rowCheck = mysql_num_rows($result);
if($rowCheck == 1){
$row = mysql_fetch_array($result);
$_SESSION['level']=$row['level'];
$_SESSION['user_id'] = $row['ID'];
$_SESSION['logged_in']=TRUE;
header("Location:success.php");
exit;
}
else {
if (mysql_error()==TRUE) {
echo mysql_error();
##header('Location:index.php');
}
else {
$error = "Login Failed";
echo $error;
##header('Location:index.php');
}
}
?>
The file at the top of each secure page:
<?php
$levels = '0';
include('check.php');
IF (!$access || !$_SESSION)
{
echo "No access";
die();
##header('Location:index.php');
}
include('header.php');
?>
The check.php script:
<?php
session_start();
IF ($_SESSION['logged_in'] = TRUE)
{
IF ($_SESSION['logged_in'] && $_SESSION['level']>= $levels)
{
$access = TRUE;
}
ELSE
{
$error = "You do not have access to view this page <br>";
echo $error;
##header ('Location:/go');
die();
}
}
ELSE
{
$error = "You must log in to see this page.";
echo $error;
##header ('Location:/go');
die();
}
?>
And just for some redundancy I have this included in the header file:
<?php
IF ($access = TRUE)
{
##Continue page load
}
ELSE
{
header('Location:/go/index.php');
}
?>
How secure is this script? Does it have any vulnerablities? Like I said it's my first real script and I just want feedback on it. Thanks alot.