Page 1 of 1

user level

Posted: Fri Nov 18, 2011 2:51 am
by jauson
Please help me to boost the security of my user level access I made. heres my script.

Code: Select all

<?php

if (isset($_POST['username'])&&isset($_POST['password'])){

$username = $_POST['username'];
$password = $_POST['password'];

	if (!empty($username)&&!empty($password)){

	$query = "SELECT * FROM `employeedetails` WHERE `username`='".mysql_real_escape_string($username)."' AND `password`='".mysql_real_escape_string($password)."' AND `access_level`='1'";
	$result = mysql_query($query);
		
		if($rows = mysql_num_rows($result) == 1){
			
			$user_id = mysql_result($result, 0, 'employeeID');
			$_SESSION['user_id'] = $user_id;
			header("Location: index.php");	

	} else if ($rows = mysql_num_rows($result) == 0){			
		
			$query = "SELECT * FROM `employeedetails` WHERE `username`='".mysql_real_escape_string($username)."' AND `password`='".mysql_real_escape_string($password)."' AND `access_level`='2'";
			$result = mysql_query($query);
			
				if($rows = mysql_num_rows($result) == 1){
					
					$user_id = mysql_result($result, 0, 'employeeID');
					$_SESSION['user_id'] = $user_id;
					header("Location: maindex.php");	
					
				} else if($rows = mysql_num_rows($result) == 0){
				
						$query = "SELECT * FROM `employeedetails` WHERE `username`='".mysql_real_escape_string($username)."' AND `password`='".mysql_real_escape_string($password)."' AND `access_level`='3'";
						$result = mysql_query($query);
						
						if($rows = mysql_num_rows($result) == 1){
							
								$user_id = mysql_result($result, 0, 'employeeID');
								$_SESSION['user_id'] = $user_id;
								header("Location: rindex.php");	
								
					} else if($rows = mysql_num_rows($result) == 0) {
						
						$query = "SELECT * FROM `employeedetails` WHERE `username`='".mysql_real_escape_string($username)."' AND `password`='".mysql_real_escape_string($password)."' AND `access_level`='4'";
						$result = mysql_query($query);
						
						if($rows = mysql_num_rows($result) == 1){
						
						$user_id = mysql_result($result, 0, 'employeeID');
						$_SESSION['user_id'] = $user_id;
						header("Location: index.php");	
						
						} else if($rows = mysql_num_rows($result) == 0) {
						echo 'Username and Password Not Found.';
					}
				}
			}
		}
	} else {
 
  echo '<html>
		<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
		<head><link type="text/css" rel="stylesheet" href="css/board.css"/></head>
		<body>
		<div class="error">
		Username and Password should not be blank. 
		<div class="warning">
		<img src="images/warning.png"/>
		</div>
		</div>
		</body>
		</html>';
	}
}

Re: user level

Posted: Fri Nov 18, 2011 6:18 am
by Celauran
The first and most obvious problem is that you appear to be storing passwords as plain text. Don't do that. Salt them, pepper them, and hash them using a nice, slow algorithm.

Why do you have a bunch of different queries with different access levels? Wouldn't it be easier to request the access level from the database and get rid of all those nested conditionals?

Re: user level

Posted: Fri Nov 18, 2011 7:57 pm
by jauson
Celauran wrote:The first and most obvious problem is that you appear to be storing passwords as plain text. Don't do that. Salt them, pepper them, and hash them using a nice, slow algorithm.

Why do you have a bunch of different queries with different access levels? Wouldn't it be easier to request the access level from the database and get rid of all those nested conditionals?

Obviously I dont have an idea to implement a nice and simple queries for different user. that is why I created my own script which is not recommended for dynamic page like this.