wazup999
05-11-2008, 10:21 PM
Hello,
Long time since I've been on this forum. Well I started learning php, again lol and I understand it more then I did before. I was just wondering if this login and config script was safe enough to use? Maybe you guys could give me tips on how to make it better? thx :]
login.php
<?
ob_start(); //allow cookies
session_start(); //allow sessions
include ("config.php"); //connects to the Database
include ("functions.php"); //inludes the function file
if (isset($_COOKIE['remember_panel_user'])){
$check = CHECKED;
}
if ($log != 1){ // if user is logged in
if (!$_POST[submit]){ //checks if post was submitted
//Post wasn't submitted so we show the form
echo ("
<html>
<head>
</head>
<body>
<center><form method='POST'><br>
Username: <input type='text' size='15' maxlength='12' name='username' value = '$_COOKIE[remember_panel_user]'><br>
Password: <input type='password' size='15' maxlength='12' name='password'><br>
Remember Username? <input type='checkbox' name='remember' $check><br>
<input type='submit' name='submit' value='Login'>
</body>
</html>
");
}
else
{ //post was submitted so we move on
$username = secure($_POST['username']); //sets variables and removes symbols
$password = sha1(md5($_POST['password'])); //encodes the entered password
$ticket = rand(1000000000,9999999999); //makes a ticket
$remember = $_POST['remember']; //sets variable
if (empty($username)) //if username field is empty
{
die ("<center>All fields must be filled in. (Missing username)<br> If you're not redirected in 10 secondes <a href='login.php'><font color='black'><b>Click Here</a><meta HTTP-EQUIV='REFRESH' content='4; url=login.php'>");
//die the field was empty
}
$userpass = mysql_query("SELECT * FROM users WHERE username = '$username'") or die(mysql_error());
$userpass = mysql_fetch_array($userpass); //query that selects the information
$uid = $userpass[id]; //get's the users id
$ua = sha1(md5($_SERVER['HTTP_USER_AGENT']));
if($userpass[password] != $password) { //if the password in the database equals the one entered
echo ("<meta HTTP-EQUIV='REFRESH' content='3; url=login.php'>Wrong username or password.<br><br><br>You will be redirected<br> If you're not redirected in 5 secondes <a href='login.php'><font color='black'><b>Click Here</a>");
//shows echo wrong username or password
}else{
$set_ticket = mysql_query("UPDATE users SET ticket = sha1(md5($ticket)) WHERE username = '$username'") or die(mysql_error());
//enters the ticket in the database
setcookie("panel_pass", md5($ticket), time()+3600);
//enters the password in a cookie
$_SESSION['panel_pwd'] = $password;
//enters the ticket in a session
$_SESSION['panel_uid'] = $uid;
//enters id in a session
$_SESSION['panel_ua'] = $ua;
//enters the users HTTP AGENT in a session for security reasons
if ($remember != on){ //if the remember me box was checked
setcookie("remember_panel_user", "", time()-9999); //destroy the remember me cookie
}else{
setcookie("remember_panel_user", "$username", time()+9999); //enter the username in a cookie
}
echo ("<center><meta HTTP-EQUIV='REFRESH' content='0; url=login.php'><br><br>You will be redirected<br> If you're not redirected in 10 secondes <a href='login.php'><font color='black'><b>Click Here</a>");
//If everything is ok refresh the page
}
}
}
else
{
echo("Hello $logged[username], how are you today?<br><a href='logout.php'>Logout</a>");
//Show page content
}
?>config.php
<?php
ob_start(); //allow cookies
session_start(); //allow sessions
session_regenerate_id(true); //gives the user a new session id
$conn = mysql_connect("localhost","",""); //Database connection information
mysql_select_db() or die(mysql_error()); //Database query
$check_ticket = sha1($_COOKIE['panel_pass']); //Encode's session ticket
$logged = MYSQL_QUERY("SELECT * from users WHERE id = '$_SESSION[panel_uid]'"); //Query
$logged = mysql_fetch_array($logged);
if ($_SESSION['panel_pwd'] != $logged['password']){ //Check to see if the cookie pwd is equal to the user's password
echo ("Wrong username or password.<br><br>You will be redirected<br> If you're not redirected in 10 secondes <a href='login.php'><font color='black'><b>Click Here</a>");
}elseif (!isset($_SESSION['panel_ua'])){ //Checks to see if session exists
}elseif ($_SESSION['panel_ua'] != sha1(md5($_SERVER['HTTP_USER_AGENT']))){ //Compares the session user agent with his current 1
echo ("<center>Session has died.<br>Please login again.");
session_destroy(); //destroys the cookie
exit(0);
}elseif ($check_ticket != $logged['ticket']){ //compares the ticket in the session and the one in the database
echo ("<center>Session has died.<br>Please login again.");
}else{
$log = '1'; //puts log to 1 because the user is logged in
}
?>Thanks,
Waz
Long time since I've been on this forum. Well I started learning php, again lol and I understand it more then I did before. I was just wondering if this login and config script was safe enough to use? Maybe you guys could give me tips on how to make it better? thx :]
login.php
<?
ob_start(); //allow cookies
session_start(); //allow sessions
include ("config.php"); //connects to the Database
include ("functions.php"); //inludes the function file
if (isset($_COOKIE['remember_panel_user'])){
$check = CHECKED;
}
if ($log != 1){ // if user is logged in
if (!$_POST[submit]){ //checks if post was submitted
//Post wasn't submitted so we show the form
echo ("
<html>
<head>
</head>
<body>
<center><form method='POST'><br>
Username: <input type='text' size='15' maxlength='12' name='username' value = '$_COOKIE[remember_panel_user]'><br>
Password: <input type='password' size='15' maxlength='12' name='password'><br>
Remember Username? <input type='checkbox' name='remember' $check><br>
<input type='submit' name='submit' value='Login'>
</body>
</html>
");
}
else
{ //post was submitted so we move on
$username = secure($_POST['username']); //sets variables and removes symbols
$password = sha1(md5($_POST['password'])); //encodes the entered password
$ticket = rand(1000000000,9999999999); //makes a ticket
$remember = $_POST['remember']; //sets variable
if (empty($username)) //if username field is empty
{
die ("<center>All fields must be filled in. (Missing username)<br> If you're not redirected in 10 secondes <a href='login.php'><font color='black'><b>Click Here</a><meta HTTP-EQUIV='REFRESH' content='4; url=login.php'>");
//die the field was empty
}
$userpass = mysql_query("SELECT * FROM users WHERE username = '$username'") or die(mysql_error());
$userpass = mysql_fetch_array($userpass); //query that selects the information
$uid = $userpass[id]; //get's the users id
$ua = sha1(md5($_SERVER['HTTP_USER_AGENT']));
if($userpass[password] != $password) { //if the password in the database equals the one entered
echo ("<meta HTTP-EQUIV='REFRESH' content='3; url=login.php'>Wrong username or password.<br><br><br>You will be redirected<br> If you're not redirected in 5 secondes <a href='login.php'><font color='black'><b>Click Here</a>");
//shows echo wrong username or password
}else{
$set_ticket = mysql_query("UPDATE users SET ticket = sha1(md5($ticket)) WHERE username = '$username'") or die(mysql_error());
//enters the ticket in the database
setcookie("panel_pass", md5($ticket), time()+3600);
//enters the password in a cookie
$_SESSION['panel_pwd'] = $password;
//enters the ticket in a session
$_SESSION['panel_uid'] = $uid;
//enters id in a session
$_SESSION['panel_ua'] = $ua;
//enters the users HTTP AGENT in a session for security reasons
if ($remember != on){ //if the remember me box was checked
setcookie("remember_panel_user", "", time()-9999); //destroy the remember me cookie
}else{
setcookie("remember_panel_user", "$username", time()+9999); //enter the username in a cookie
}
echo ("<center><meta HTTP-EQUIV='REFRESH' content='0; url=login.php'><br><br>You will be redirected<br> If you're not redirected in 10 secondes <a href='login.php'><font color='black'><b>Click Here</a>");
//If everything is ok refresh the page
}
}
}
else
{
echo("Hello $logged[username], how are you today?<br><a href='logout.php'>Logout</a>");
//Show page content
}
?>config.php
<?php
ob_start(); //allow cookies
session_start(); //allow sessions
session_regenerate_id(true); //gives the user a new session id
$conn = mysql_connect("localhost","",""); //Database connection information
mysql_select_db() or die(mysql_error()); //Database query
$check_ticket = sha1($_COOKIE['panel_pass']); //Encode's session ticket
$logged = MYSQL_QUERY("SELECT * from users WHERE id = '$_SESSION[panel_uid]'"); //Query
$logged = mysql_fetch_array($logged);
if ($_SESSION['panel_pwd'] != $logged['password']){ //Check to see if the cookie pwd is equal to the user's password
echo ("Wrong username or password.<br><br>You will be redirected<br> If you're not redirected in 10 secondes <a href='login.php'><font color='black'><b>Click Here</a>");
}elseif (!isset($_SESSION['panel_ua'])){ //Checks to see if session exists
}elseif ($_SESSION['panel_ua'] != sha1(md5($_SERVER['HTTP_USER_AGENT']))){ //Compares the session user agent with his current 1
echo ("<center>Session has died.<br>Please login again.");
session_destroy(); //destroys the cookie
exit(0);
}elseif ($check_ticket != $logged['ticket']){ //compares the ticket in the session and the one in the database
echo ("<center>Session has died.<br>Please login again.");
}else{
$log = '1'; //puts log to 1 because the user is logged in
}
?>Thanks,
Waz