PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Fri May 29, 2020 9:04 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Sat Feb 11, 2012 7:16 pm 
Offline
Forum Newbie

Joined: Sat Feb 11, 2012 7:13 pm
Posts: 6
Syntax: [ Download ] [ Hide ]
<?
include "config.php";
include "functions.php";
session_start();
       
$t = time()+3600;
$datetime = date("Y-m-d H:i:s", $t);
$ip_address = $_SERVER['REMOTE_ADDR'];
       
if (!$PHP_AUTH_USER) {
        header('WWW-Authenticate: Basic realm="Control Panel"');
}
else {
        $password = crypt($PHP_AUTH_PW);                                                                                                                        // Encrypt the inputed password for comparison
        $query = sprintf("SELECT * FROM users WHERE username='%s' AND password='%s'",
        mysql_escape_strings($PHP_AUTH_USER),
        mysql_escape_strings($password));

        $result = mysql_query($query);
        $row = mysql_fetch_array($result);

        if (mysql_num_rows($result) != "1") { // No user or pass found - incorrect entry
                error_msg(1);
                $err = 1;                                                      
        }
        elseif (mysql_num_rows($result)) {                              // User was found
                $_SESSION['admin_name'] = $PHP_AUTH_USER;       // Set session name to username
                $crt = 1;                                                                       // Allow into control panel
        }
        else {
                error_msg(1);
                $err = 1;
        }
}
if ($crt) {
        header("Location: home.php");
}
?>
 

Please let me know how secure this will be in it's current state! Thanks guys :)

EDIT: Changed the script slightly.


Top
 Profile  
 
PostPosted: Sun Feb 12, 2012 4:43 pm 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Sun Feb 12, 2012 5:44 pm 
Offline
Forum Newbie

Joined: Sat Feb 11, 2012 7:13 pm
Posts: 6
I'll definitely search for using other hash functions.

That was indeed supposed to be mysql_escale_string() as opposed to strings - a typo when I was tired, thanks for pointing that out though. I'll definitely read up session_regenerated_id(); - I haven't worked with PHP in some years, so things have seemed to have changed quite a bit!

I appreciate the information, thank you!


Top
 Profile  
 
PostPosted: Sun Feb 12, 2012 10:08 pm 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6425
Location: Montreal, Canada
No need for another hashing function as such, just consider using Blowfish with crypt().

_________________


Top
 Profile  
 
PostPosted: Mon Feb 13, 2012 2:21 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za

Here is an article you can read on using the function

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Wed Feb 15, 2012 9:42 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group