Just some help.
Posted: Wed Jul 28, 2010 11:05 pm
I know this exact some topic has been posted over and over, but hey, every code is unique (at least it should be if its "written" by two different people). So, if you guys dont mind, would you all take a look at my code and see what i could do to make it more secure and such.
This code is the "universal" code, it gets included on every page that requires it. Its purpose is simple, connect to the database, hold universal variables/functions. Oh, and i left the mysql connect info because its localhost, and obviously no one can do much with that. Also, the error stuff in the beginning of the below code is just there for debugging and testing, it will be disabled before i post it to the web.
This code is the actual login checker and session creator.
Versions:
PHP - 5.3.0
MySQL - 5.1.36
Thanks For Reading
-BB5
This code is the "universal" code, it gets included on every page that requires it. Its purpose is simple, connect to the database, hold universal variables/functions. Oh, and i left the mysql connect info because its localhost, and obviously no one can do much with that. Also, the error stuff in the beginning of the below code is just there for debugging and testing, it will be disabled before i post it to the web.
Code: Select all
<?PHP
/*
Title: Universal Info, mysql.php
Author: Dylan G.
Directory: /forum/
Purpose: To contain universal variables/functions, connect to server
Orignal Draft: July 27, 2010
Last Update: July 28, 2010
*/
//Debug settings
ini_set('error_reporting', 'On');
error_reporting(E_ALL);
//Connection Section
$mysql_username = "root";
$mysql_password = "";
$mysql_host = "localhost";
$U_salt = "*****";
mysql_connect($mysql_host,$mysql_username,$mysql_password) or die("Could Not Connect To Mysql Server:<br>". mysql_error());
//Universal Variables
$U_host = "http://localhost";
//Universal Functions
function _generateHash($in1,$in2,$in3) {
$hashed = md5($in1.$in3.$in2.$U_salt);
return $hashed;
}
?>Code: Select all
<?PHP
/*
Title: Login Checker, checklogin.php
Author: Dylan G.
Directory: /forum/auth/
Purpose: To validate login information and if login is successfull, create session.
Orignal Draft: July 27, 2010
Last Update: July 28, 2010
*/
//Connect to server, gather universal functions and variables
require("/../mysql.php");
//Define outside urls
$errorURL = $U_host."/auth/index.php?status=failed";
$success = $U_host."/index.php?status=complete";
//Define Database
mysql_select_db("members") or die("Could not select database:<br>".mysql_error());
//Cleanup Variables
if ((!isset($_POST['username']) || (!isset($_POST['password'])) {
header("Location: ".$errorURL."&reason=missinginfo");
die();
}
$username = mysql_real_escape_string(stripslashes($_POST['username']));
$password = mysql_real_escape_string(stripslashes($_POST['password']));
//Retrieve Private Salt
$sql = "SELECT psalt,powerlevel FROM users WHERE username='".$username."'";
$execute = mysql_query($sql) or die(mysql_error());
//If user doesnt exist aka salt doesnt exist
if (mysql_num_rows($execute) == 0) {header("Location: ".$errorURL."&reason=udne"); die();}
//Get salt
while ($row = mysql_fetch_assoc($execute)) {
$salt = $row['psalt'];
$pwrLVL = $row['powerlevel'];
}
//Generate hashed password
$password = _generateHash($username,$password,$salt);
//Login Check
$sql = "SELECT id FROM users WHERE username='".$username."' AND password='".$password."'";
$execute = mysql_query($sql) or die(mysql_error());
//If only one person matches create login
if (mysql_num_rows($execute) == 1) {
session_start();
$pepper = rand(10000,9999999);
$_SESSION['username'] = $username;
//Added username for gaurenteed unique
$_SESSION['visitid'] = md5($pepper.$username);
$_SESSION['PL385'] = rand(10,99).$pwrLVL.rand(1,99);
//update visit id
$sql = "UPDATE users SET visitid WHERE username='".$username."'";
$execute = mysql_query($sql) or die(mysql_error());
header("Location: ".$success);
die();
}
//Anything eles gets an error
else { header("Location: ".$errorURL."&reason=badinfo"); die();}
?>PHP - 5.3.0
MySQL - 5.1.36
Thanks For Reading
-BB5