www.webdeveloper.com
Results 1 to 2 of 2

Thread: Securing website with Login an logout

  1. #1
    Join Date
    Nov 2012
    Posts
    5

    Securing website with Login an logout

    I am a complete beginner, I designed a website i need to secure with login. The website requires different Admin login and User login. I have designed database for both. I used the following for the user. I can login successfully but the webpages are still on protected.

    (login_form.php)

    <form name="form1" method="post" action="checklogin.php">
    <td>
    <table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#00ff00">
    <tr>
    <td colspan="3"><div align="center" class="style6">Member Login </div></td>
    </tr>
    <tr>
    <td width="74">Username</td>
    <td width="12">:</td>
    <td width="293"><input name="username" type="text" id="username"></td>
    </tr>
    <tr>
    <td>Password</td>
    <td>:</td>
    <td><input name="password" type="password" id="password"></td>
    </tr>
    <tr>
    <td>&nbsp;</td>
    <td>&nbsp;</td>
    <td><input type="submit" name="Submit" value="Login"></td>
    </tr>
    </table>
    </td>
    </form>
    </tr>
    </table></div>
    <label></label></th>
    </tr>

    <tr>
    <td colspan="3" scope="row"></td>
    </tr>
    <tr>
    <td colspan="3" scope="row"><div align="center"><span class="style5">Copyright (c) 2012. Skycom Incorporated. All rights reserved. </span></div></td>
    </tr>
    </table>
    <p>&nbsp; </p>
    </div>
    </form>


    (checklogin.php)

    <?php

    ob_start();
    $host="localhost"; // Host name
    $username="thepass"; // Mysql username
    $password="thepass"; // Mysql password
    $db_name="thepass"; // Database name
    $tbl_name="pass_member"; // Table name

    // Connect to server and select databse.
    mysql_connect("$host", "$username", "$password")or die("cannot connect");
    mysql_select_db("$db_name")or die("cannot select DB");

    // Define $username and $password
    $username=$_POST['username'];
    $password=$_POST['password'];

    // To protect MySQL injection (more detail about MySQL injection)
    $username = stripslashes($username);
    $password = stripslashes($password);
    $username = mysql_real_escape_string($username);
    $password = mysql_real_escape_string($password);
    $sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
    $result=mysql_query($sql);

    // Mysql_num_row is counting table row
    $count=mysql_num_rows($result);

    // If result matched $username and $password, table row must be 1 row
    if($count==1){

    // Register $username, $password and redirect to file "login_success.php"
    $_SESSION['username'] = $username;
    $_SESSION['password'] = $password;
    header("location:login_success.php");
    }
    else {
    echo "Wrong Username or Password";
    }
    ob_end_flush();
    ?>


    (login_success.php)

    <?php
    // Check if session is not registered, redirect back to main page.
    // Put this code in first line of web page.
    session_start();
    if( isset($_SESSION["username"]) ){
    header("location:login_form.php");
    }
    ?>

    (logout.php)

    <?php

    $past = time() - 100;

    //this makes the time in the past to destroy the cookie

    setcookie('ID_my_site, gone, $past');

    setcookie('Key_my_site, gone, $past');

    header("Location: login.php");

    ?>

    Please I will be forever grateful to you if you can help me through this.

  2. #2
    Join Date
    Dec 2012
    Posts
    21
    i havent looked closely but you probably need to session_start(); before you do

    $_SESSION['username'] = $username;
    $_SESSION['password'] = $password;

    also, its totally unnecessary to put the user's password into the session; its very bad practice.

    also you should be hashing your passwords and not storing them in plain text (google: hashing passwords)

    i would suggest checking out some tutorials on writing secure systems; but really I would be using an existing system for securing your site; look at any sort of CMS or framework that has usernames/passwords; you dont want to reinvent the wheel!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center

"

"

X vBulletin 4.2.2 Debug Information

  • Page Generation 0.12112 seconds
  • Memory Usage 2,851KB
  • Queries Executed 15 (?)
More Information
Template Usage (32):
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_global_above_footer
  • (1)ad_global_below_navbar
  • (1)ad_global_header1
  • (1)ad_global_header2
  • (1)ad_navbar_below
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)ad_thread_first_post_content
  • (1)ad_thread_last_post_content
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)headinclude_bottom
  • (2)memberaction_dropdown
  • (1)navbar
  • (4)navbar_link
  • (1)navbar_moderation
  • (1)navbar_noticebit
  • (1)navbar_tabs
  • (2)option
  • (2)postbit
  • (2)postbit_onlinestatus
  • (2)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available (6):
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files (26):
  • ./showthread.php
  • ./global.php
  • ./includes/class_bootstrap.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/functions_navigation.php
  • ./includes/class_friendly_url.php
  • ./includes/class_hook.php
  • ./includes/class_bootstrap_framework.php
  • ./vb/vb.php
  • ./vb/phrase.php
  • ./includes/functions_facebook.php
  • ./includes/functions_calendar.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_notice.php
  • ./packages/vbattach/attach.php
  • ./vb/types.php
  • ./vb/cache.php
  • ./vb/cache/db.php
  • ./vb/cache/observer/db.php
  • ./vb/cache/observer.php 

Hooks Called (72):
  • init_startup
  • friendlyurl_resolve_class
  • init_startup_session_setup_start
  • database_pre_fetch_array
  • database_post_fetch_array
  • init_startup_session_setup_complete
  • global_bootstrap_init_start
  • global_bootstrap_init_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • load_show_variables
  • load_forum_show_variables
  • global_state_check
  • global_bootstrap_complete
  • global_start
  • style_fetch
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • strip_bbcode
  • friendlyurl_clean_fragment
  • friendlyurl_geturl
  • forumjump
  • cache_templates
  • cache_templates_process
  • template_register_var
  • template_render_output
  • fetch_template_start
  • fetch_template_complete
  • parse_templates
  • fetch_musername
  • notices_check_start
  • notices_noticebit
  • process_templates_complete
  • friendlyurl_redirect_canonical
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • memberaction_dropdown
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • build_navigation_data
  • build_navigation_array
  • check_navigation_permission
  • process_navigation_links_start
  • process_navigation_links_complete
  • set_navigation_menu_element
  • build_navigation_menudata
  • build_navigation_listdata
  • build_navigation_list
  • set_navigation_tab_main
  • set_navigation_tab_fallback
  • navigation_tab_complete
  • fb_like_button
  • showthread_complete
  • page_templates