Is this secure? (Help w/ login page)
Posted: Tue Nov 08, 2011 10:40 am
I am an absolute beginner with PHP, so please bear with me. I am looking for a simple login page where I can add 3-4 users.
After searching all over and not really finding a clear answer I stumbled across this video "http://www.youtube.com/watch?v=d4qdqUpenWk" and following those instructions setup the following files on my web space. It "appears" to work, but I have no clue if this is secure or not.
One concern I have is that as you can see in "checklogin.php" the SQL pw is in clear text (no md5 hash?). I've put that file in a separate folder and locked it off with .htaccess, but I'm not clear on if that is enough. A second concern is "injection attacks"? Please help me.
-------------
mainlogin.php
-------------
checklogin.php
-------------
login_success.php
-------------
logout.php
After searching all over and not really finding a clear answer I stumbled across this video "http://www.youtube.com/watch?v=d4qdqUpenWk" and following those instructions setup the following files on my web space. It "appears" to work, but I have no clue if this is secure or not.
One concern I have is that as you can see in "checklogin.php" the SQL pw is in clear text (no md5 hash?). I've put that file in a separate folder and locked it off with .htaccess, but I'm not clear on if that is enough. A second concern is "injection attacks"? Please help me.
-------------
mainlogin.php
Code: Select all
<html>
<head>
<title>Login</title>
<style type="text/css">
#loginform {
border: 2px solid #ACA7A4 ;
background-color: #878381 ;
width: 280px ;
}
#loginform form {
margin: 5px ;
}
label {
display: block ;
width: 90px ;
float: left ;
clear: both ;
}
label, input {
margin-bottom: 4px ;
}
</style>
</head>
<body bgcolor="#000000">
<div id="loginform">
<form method="post" action="../php/checklogin.php" name="form1">
<label for="username">Username:</label>
<input type="text" name="myusername" id="username" />
<label for="password">Password:</label>
<input type="password" name="mypassword" id="password" /> <!-- Change "type" to "password" to create *** field -->
<input type="submit" name="submit" value="Login" />
</form>
</div>
</body>
</html>
checklogin.php
Code: Select all
<?
$host = "host.com" ;
$username = "username" ;
$password = "password" ;
$db_name = "database" ;
$tbl_name = "table" ;
mysql_connect ($host, $username, $password) or die(mysql_error("Can't connect"));
mysql_select_db ($db_name) or die (mysql_error());
$myusername = $_POST['myusername'];
$mypassword = $_POST['mypassword'];
$sql = "SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result = mysql_query($sql);
$count = mysql_num_rows($result);
if($count==1) {
session_register("myusername");
session_register("mypassword");
header("location:/login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>
login_success.php
Code: Select all
<?
session_start();
if(!session_is_registered(myusername)) {
header("location:mainlogin.php");
}
?>
<html>
<head> <title>Welcome</title>
</head>
<body>
<h1>Login Successful</h1>
<p>
<a href="logout.php">Log Out!</a></p>
</body>
</html>
logout.php
Code: Select all
<?
session_start();
session_destroy();
?>
<html>
<head> <title>Goodbye</title>
</head>
<body>
<h1>You've been logged out.</h1>
</body>
</html>