Does this login code look secure?
Posted: Mon Feb 03, 2003 6:06 pm
Code: Select all
<?php
if($_POST["submit"]) {
$link = mysql_connect("localhost", "username", "xxxx") or die("Could not connect");
mysql_select_db("users") or die("Could not select database");
$username = strip_tags($_POST["username"]);
$password = strip_tags($_POST["password"]);
$sql = "SELECT username, password FROM general_access WHERE username='&username' && password='$password'";
$result = mysql_query($sql);
$row = mysql_fetch_array($result);
if(!$username) {
$error = "1";
header("Location: login.php?error=$error");
} elseif(!$password) {
$error = "2";
header("Location: login.php?error=$error");
} elseif(!$username == $row["username"] && !$password == $row["password"]) {
$error = "3";
header("Location: login.php?error=$error");
} elseif($username == $row["username"] && $password == $row["password"]) {
header("Location: secure.php");
}
mysql_free_result($result);
mysql_close($link);
} else {
?>
<b>Enter you user information:</b>
<br><br>
<form method=post action="login.php">
Username: <input type=text name="username"><br>
Password: <input type=text name="password">
<br><br>
<input type=submit name="submit" value="Log In"> <input type=reset value="Reset">
</form>
<?php
echo "<font color="#FF0000">\n";
if($_GET["error"] == "1") {
echo "No username entered.\n";
} elseif($_GET["error"] == "2") {
echo "No password entered.\n";
} elseif($_GET["error"] == "3") {
echo "Invalid username or password entered.\n";
}
echo "</font>\n";
}
?>