Hello all,
I have the following script called login.inc which I include at the
beginning of each page on my customer control panel. Basically it checks to
see if a session has been created with user details and if it has it carries
on with the rest of the page and if not the login screen is printed.
My question is, how secure is this? I have the password, username etc in a
MYSQL database but I haven't encrypted it (don't know how)
Should I have login.inc in a folder below my public_html directory?
I have removed some details such as passwords and swapped that with question
marks.
Many thanks,
Ian Gray
Here is the code?
?
session_start(); // start session.
if(!isset($username) | !isset($password)) {
// escape from php mode.
?
html xmlns=http://www.w3.org/1999/xhtml;
head
meta http-equiv=Content-Type content=text/html; charset=iso-8859-1 /
titleCustomer Login/title
link href=login.css rel=stylesheet type=text/css /
script language=JavaScript type=text/javascript
/head
body onLoad=self.focus();document.customerlogin.username.focus()
form action=?=$PHP_SELF??if($QUERY_STRING){ echo?. $QUERY_STRING;}?
method=POST name=customerlogin id=customerlogin
table width=500 height=320 border=1 align=center cellpadding=0
cellspacing=0 bordercolor=#33 background=images/login.jpg
tr
td valign=toptable width=500 border=0 cellspacing=0
cellpadding=0
tr
td bgcolor=#343399div align=rightimg src=images/cl.jpg
alt=Customer Logingt;gt;gt; width=400 height=40 //div/td
/tr
tr
tdpnbsp;/p
pnbsp;/p/td
/tr
tr
td class=textydiv align=centerCustomer control panel. Please
enter
your username and password into the boxes below:/div/td
/tr
tr
tdtable width=300 border=0 align=center cellpadding=0
cellspacing=5
tr
tdnbsp;/td
tdnbsp;/td
/tr
tr
td class=blueyUsername:/td
tdinput name=username type=text class=formy/td
/tr
tr
td class=blueyPassword:/td
tdinput name=password type=password class=formy/td
/tr
tr
tdnbsp;/td
td
div align=center
input type=submit class=formy
value=Logingt;gt;gt;
/div/td/tr
/table/td
/tr
tr
tdnbsp;/td
/tr
/table/td
/tr
/table/form
/body
/html
?
exit();
}
// If all is well so far.
session_register(IIDD);
session_register(firstname);
session_register(username);
session_register(password); // register username and password as session
variables.
// Here you would check the supplied username and password against your
database to see if they exist.
// For example, a MySQL Query, your method may differ.
$link = mysql_connect(?, ?, ?) or die(Could not
connect);
mysql_select_db(s??) or die(Could not select database);
$sql = mysql_query(SELECT customerID, password, firstname FROM
customer_details WHERE username = '$username');
$fetch_em = mysql_fetch_array($sql);
$numrows = mysql_num_rows($sql);
if($numrows != 0 $password == $fetch_em[password]) {
$valid_user = 1;
}
else {
$valid_user = 0;
}
$firstname = $fetch_em[firstname];
$IIDD = $fetch_em[customerID];
// If the username exists and pass is correct, don't pop up the login code
again.
// If info can't be found or verified
if (!($valid_user))
{
session_unset(); // Unset session variables.
session_destroy(); // End Session we created earlier.
// escape from php mode.
?
html xmlns=http://www.w3.org/1999/xhtml;
head
meta http-equiv=Content-Type content=text/html; charset=iso-8859-1 /
titleCustomer Login/title
link href=login.css rel=stylesheet type=text/css /
/head
body
br /
form action=?=$PHP_SELF??if($QUERY_STRING){ echo?. $QUERY_STRING;}?
method=POST
table width=500 height=320 border=1 align=center cellpadding=0
cellspacing=0 bordercolor=#33 background=images/login.jpg
tr
td valign=toptable width=500 border=0 cellspacing=0
cellpadding=0
tr
td bgcolor=#343399div align=rightimg src=images/cl.jpg
alt=Customer Logingt;gt;gt; width=400 height=40 //div/td
/tr
tr
tdpnbsp;/p
pnbsp;/p/td
/tr
tr
td class=textydiv align=centerIncorrect username and/or
password. Please enter correct ones to log in:/div/td
/tr
tr
tdtable width=300 border=0 align=center cellpadding=0
cellspacing=5
tr
tdnbsp;/td
tdnbsp;/td
/tr
tr
td class=blueyUsername:/td
tdinput name=username type=text class=formy/td
/tr
tr
td class=blueyPassword:/td
tdinput name=password type=password class=formy/td
/tr
tr
tdnbsp;/td
td
div align=center
input type=submit class=formy
value=Logingt;gt;gt;
/div/td/tr
/table/td