[PHP] Security Question with my password protected login script...
Hello all, I have the following script called login.inc which I include at the beginning of each page on my customer control panel. Basically it checks to see if a session has been created with user details and if it has it carries on with the rest of the page and if not the login screen is printed. My question is, how secure is this? I have the password, username etc in a MYSQL database but I haven't encrypted it (don't know how) Should I have login.inc in a folder below my public_html directory? I have removed some details such as passwords and swapped that with question marks. Many thanks, Ian Gray Here is the code? ? session_start(); // start session. if(!isset($username) | !isset($password)) { // escape from php mode. ? html xmlns=http://www.w3.org/1999/xhtml; head meta http-equiv=Content-Type content=text/html; charset=iso-8859-1 / titleCustomer Login/title link href=login.css rel=stylesheet type=text/css / script language=JavaScript type=text/javascript /head body onLoad=self.focus();document.customerlogin.username.focus() form action=?=$PHP_SELF??if($QUERY_STRING){ echo?. $QUERY_STRING;}? method=POST name=customerlogin id=customerlogin table width=500 height=320 border=1 align=center cellpadding=0 cellspacing=0 bordercolor=#33 background=images/login.jpg tr td valign=toptable width=500 border=0 cellspacing=0 cellpadding=0 tr td bgcolor=#343399div align=rightimg src=images/cl.jpg alt=Customer Logingt;gt;gt; width=400 height=40 //div/td /tr tr tdpnbsp;/p pnbsp;/p/td /tr tr td class=textydiv align=centerCustomer control panel. Please enter your username and password into the boxes below:/div/td /tr tr tdtable width=300 border=0 align=center cellpadding=0 cellspacing=5 tr tdnbsp;/td tdnbsp;/td /tr tr td class=blueyUsername:/td tdinput name=username type=text class=formy/td /tr tr td class=blueyPassword:/td tdinput name=password type=password class=formy/td /tr tr tdnbsp;/td td div align=center input type=submit class=formy value=Logingt;gt;gt; /div/td/tr /table/td /tr tr tdnbsp;/td /tr /table/td /tr /table/form /body /html ? exit(); } // If all is well so far. session_register(IIDD); session_register(firstname); session_register(username); session_register(password); // register username and password as session variables. // Here you would check the supplied username and password against your database to see if they exist. // For example, a MySQL Query, your method may differ. $link = mysql_connect(?, ?, ?) or die(Could not connect); mysql_select_db(s??) or die(Could not select database); $sql = mysql_query(SELECT customerID, password, firstname FROM customer_details WHERE username = '$username'); $fetch_em = mysql_fetch_array($sql); $numrows = mysql_num_rows($sql); if($numrows != 0 $password == $fetch_em[password]) { $valid_user = 1; } else { $valid_user = 0; } $firstname = $fetch_em[firstname]; $IIDD = $fetch_em[customerID]; // If the username exists and pass is correct, don't pop up the login code again. // If info can't be found or verified if (!($valid_user)) { session_unset(); // Unset session variables. session_destroy(); // End Session we created earlier. // escape from php mode. ? html xmlns=http://www.w3.org/1999/xhtml; head meta http-equiv=Content-Type content=text/html; charset=iso-8859-1 / titleCustomer Login/title link href=login.css rel=stylesheet type=text/css / /head body br / form action=?=$PHP_SELF??if($QUERY_STRING){ echo?. $QUERY_STRING;}? method=POST table width=500 height=320 border=1 align=center cellpadding=0 cellspacing=0 bordercolor=#33 background=images/login.jpg tr td valign=toptable width=500 border=0 cellspacing=0 cellpadding=0 tr td bgcolor=#343399div align=rightimg src=images/cl.jpg alt=Customer Logingt;gt;gt; width=400 height=40 //div/td /tr tr tdpnbsp;/p pnbsp;/p/td /tr tr td class=textydiv align=centerIncorrect username and/or password. Please enter correct ones to log in:/div/td /tr tr tdtable width=300 border=0 align=center cellpadding=0 cellspacing=5 tr tdnbsp;/td tdnbsp;/td /tr tr td class=blueyUsername:/td tdinput name=username type=text class=formy/td /tr tr td class=blueyPassword:/td tdinput name=password type=password class=formy/td /tr tr tdnbsp;/td td div align=center input type=submit class=formy value=Logingt;gt;gt; /div/td/tr /table/td
Re: [PHP] Security Question with my password protected login script...
Ian Gray wrote: Hello all, My question is, how secure is this? I have the password, username etc in a MYSQL database but I haven't encrypted it (don't know how) The MySQL 'password' function at http://mysql.com would work. For something that is portable to non MySQL systems, you can use http://php.net/crypt Should I have login.inc in a folder below my public_html directory? Ideally, *NO* you should not. It should be a in a directory that is *NOT* below your public_html directory. Make a directory called 'includes' or 'php' or something similar that is *NEXT* to your public_html directory. Then, using either .htaccess and: php_value include_path ./:/complete/path/from/root/of/server/to/includes or perhaps http://php.net/set_include_path or http://php.net/set_ini you want to convince PHP that the directory you just created is in your include_path. I have removed some details such as passwords and swapped that with question marks. Good! ? session_start(); // start session. if(!isset($username) | !isset($password)) { This should be || and not |, really. // escape from php mode. ? html xmlns=http://www.w3.org/1999/xhtml; ... /html ? exit(); } // If all is well so far. session_register(IIDD); session_register(firstname); session_register(username); session_register(password); // register username and password as session variables. Not such a good idea, maybe. They end up being in a file that *ANY* PHP script on your server can use. If you are on a shared server, that means *EVERY* other user on your machine that has access to PHP can read the username and password from your session files. What you might consider is storing their PHPSESSID into a table in your database with their username. You then can look them up with the PHPSESID that will be given back to you from their browser on each page. Also store the date/time, and update it to now() in every script/page. Anything older than X minutes, you should consider an expired login, and force them back to logging in again. // Here you would check the supplied username and password against your database to see if they exist. // For example, a MySQL Query, your method may differ. $link = mysql_connect(?, ?, ?) or die(Could not connect); mysql_select_db(s??) or die(Could not select database); $sql = mysql_query(SELECT customerID, password, firstname FROM customer_details WHERE username = '$username'); If you use MySQL's 'password' function, you can do like: SELECT customer_ID, password = password('$password'), firstname FROM ... You'll get either 1 or 0 if their password matches the encrypted version in your database, but you won't actually have their password stored in the database, and that's Good. If you want to use crypt, something more like: SELECT ..., password, ... FROM ...; . . . if (crypt($password, substr($fetch_em[password], 0, 2)) == $fetch_em[password]){ $valid_user = 1; } else{ $valid_user = 0; } $fetch_em = mysql_fetch_array($sql); $numrows = mysql_num_rows($sql); if($numrows != 0 $password == $fetch_em[password]) { $valid_user = 1; } else { $valid_user = 0; } $firstname = $fetch_em[firstname]; $IIDD = $fetch_em[customerID]; // If the username exists and pass is correct, don't pop up the login code again. // If info can't be found or verified if (!($valid_user)) { session_unset(); // Unset session variables. session_destroy(); // End Session we created earlier. // escape from php mode. ? html xmlns=http://www.w3.org/1999/xhtml; ... /html ? exit(); } ? Since all the HTML in the two places I put ... is the same (right?) then that should be an include file, so you can't get them out of sync. Better yet, would be to re-structure your page so that the first form is just not there, and you only TRY to log in if (isset($_POST['username'])) So your page is more like this: ?php if (isset($_POST['username'])){ //check if they are kosher, and decide on $valid_user setting } if (!$valid_user){ ? HTMLlogin form/HTML ?php exit; } ? -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question with my password protected login script...
Richard Lynch wrote: Ian Gray wrote: My question is, how secure is this? I have the password, username etc in a MYSQL database but I haven't encrypted it (don't know how) The MySQL 'password' function at http://mysql.com would work. For something that is portable to non MySQL systems, you can use http://php.net/crypt You should not use the MySQL PASSWORD() function within your own applications. MD5() is a good alternative as it's implemented in many programs including PHP and MySQL. Other suggestions were good, though. :) -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php