Is this code security ?
Posted: Wed Jun 24, 2009 2:52 am
hi guy i'm creating login page but i'm not sure my code is security , isn't it ? Could anybody tell me Is this security ?
and if you have any idea , pls tell me
thanks
this is my form for login
this is postlogin.php
note : i am working with php4 and mysql 4
and if you have any idea , pls tell me
thanks
this is my form for login
Code: Select all
<form action="postlogin.php" method="post">
<table width="100%" border="0" cellpadding="0" cellspacing="0" bgcolor="#E5B57A"align="center">
<tr align="center">
<td height="261" align="center" valign="middle">
<p class="style2">Pattaya Library</p>
<table width="300" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td width="50%"><div align="center">Username</div></td>
<td width="50%"><input type="text" name="use" id="textfield" /></td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td><div align="center">Password</div></td>
<td><input type="password" name="pwd" id="textfield2" /></td>
</tr>
</table>
<p>
<input type="submit" name="button" id="button" value="Login" />
</p>
<p>
<?
if($_GET['err']==1){
echo "<font color='#FF0000'><strong>Log in failed please try again </strong></font>";
}else if ($_GET['err']==2){
echo "<font color='#FF0000'><strong>Log in timeout please try again </strong></font>";
}
?>
</p>
this is postlogin.php
Code: Select all
<?session_start();?>
<?php include("../include/config.php")?>
<?
$sql="select * from libraly_user where user_username='".$_POST['use']."' and user_password='".$_POST['pwd']."'";
$rs=mysql_query($sql)or die(mysql_error());
$row=mysql_fetch_assoc($rs);
$num=mysql_num_rows($rs);
if($num>0){
session_register("ss_use");
session_register("ss_id");
session_register("ss_lv");
$_SESSION['ss_use']=$_POST['use'];
$_SESSION['ss_lv']=$row['user_level'];
$_SESSION['ss_id']=session_id;
echo "<script>location.replace('index.php?pagetype=1');</script>";
}else{
echo "<script>location.replace('login.php?err=1');</script>";
}
?>