Page 1 of 1

Login script with user only pages

Posted: Sun May 29, 2011 3:42 am
by giga
LOGIN.PHP:

Code: Select all

<?php
$host="localhost"; // Host name
$username="root"; // Mysql username
$password="root"; // Mysql password
$db_name="globalbattle"; // Database name
$tbl_name="usersystem"; // Table name

mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

$username=$_POST['username'];
$password=$_POST['password'];

$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
session_register("username");
session_register("password");
header("location:main.php");
}
else {
echo "Wrong Username or Password";
}
?>
I have registered username and password for main.php.

MAIN.PHP:

Code: Select all

<?
session_start();
if(!session_is_registered(username)){
echo "Welcome";
}
?>
Why does the message "Welcome" come up when i have not logged on?

Re: Login script with user only pages

Posted: Sun May 29, 2011 9:20 am
by Apollo
In login.php you didn't do session_start().

Furthermore, you should NEVER EVER store a password anywhere! You store a hash of the password + some random salt string (so you keep only an irreversible checksum), NOT the original password.

Finally, you ask why the message "Welcome" appears when you have not logged on: well that's exactly what main.php does :) (check the if)

Re: Login script with user only pages

Posted: Sun May 29, 2011 9:30 am
by giga
Apollo wrote:In login.php you didn't do session_start().
Why would i need to put session_start in login.php?

Re: Login script with user only pages

Posted: Sun May 29, 2011 9:53 am
by Apollo
giga wrote:Why would i need to put session_start in login.php?
Because you're doing session_register("username").

Which is deprecated by the way, it's better to use $_SESSION['some_name'] = 'some_value';

(edit) oh, I just noticed in the manual that session_start is called implicitly if you didn't do so yourself. But, with the function being deprecated and all, I'd stick to $_SESSION nonetheless.

Re: Login script with user only pages

Posted: Sun May 29, 2011 8:52 pm
by Pazuzu156
First of all, this login is terrible. There is no security in the login. For your query you should use sprintf(); Also as mentioned before you need to md5 hash the password in both the login process and in the database it's stored in. easy enough: $password = md5($password); Also you need to begin the session in the login page and start the session based on the username: session_start(); to begin the session and $_SESSION['user'] = $username; So the session holds a value while the user is logged in. If you want an example of a login script I made with full explanations, follow this link: viewtopic.php?f=1&t=129897

Hope all this helps you.

Re: Login script with user only pages

Posted: Mon May 30, 2011 2:57 am
by Apollo
Pazuzu156 wrote:$password = md5($password);
Except...
1. Don't use md5, but a stronger hash (like sha512 or whirlpool).
2. Use salt, to avoid rainbow table attacks.