login Scripts

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
dhossai
Forum Newbie
Posts: 6
Joined: Mon Apr 30, 2007 6:07 pm

login Scripts

Post by dhossai »

Everah | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

[color=green]Everah | Edited to change AOL speak to English.[/color]
[quote="[url=http://forums.devnetwork.net/viewtopic.php?t=30037]Forum Rules[/url] Section 1.1"][b]11.[/b] Please use proper, complete spelling when posting in the forums. AOL Speak, leet speak and other abbreviated wording can confuse those that are trying to help you (or those that you are trying to help). Please keep in mind that there are many people from many countries that use our forums to read, post and learn. They do not always speak English as well as some of us, nor do they know these aberrant abbreviations. Therefore, use as few abbreviations as possible, especially when using such simple words.

Some examples of what not to do are ne1, any1 (anyone); u (you); ur (your or you're); 2 (to too); prolly (probably); afaik (as far as I know); etc.[/quote]

Hi Fellows.
I hope some one would advise me on this. I am a novice and trying to create the login scripts. I found some on the net at http://www.plus2net.com/php_tutorial/update_profile.php which has the whole process eg login, forgot password, change password and update password as well. In this group of scripts it uses two session file. One is called session.php and ohter one is called newsession.php. I have added both file here for you to view but can [s]u pls[/s] [size=200][color=green]you please[/color][/size] let me know using this process how secure is the session id not to be exploited. And it include the session file on every login and password related file.

Session.php........

Code: Select all

<?php
session_start();
session_register("session");
?>
And newsession.php..........

Code: Select all

<?php
//error_reporting(E_ERROR | E_PARSE | E_CORE_ERROR);
$session['id']=session_id();
$session['userid']=$userid;
//echo $session['userid'];
?>
This is the loginck.php file which initialize after submit..........

Code: Select all

<?

include "include/session.php";

include "include/z_db.php";
//////////////////////////////
?>
<!doctype html public "-//w3c//dtd html 3.2//en">

<html>

<head>
<title>(Type a title for your page here)</title>
<meta name="GENERATOR" content="Arachnophilia 4.0">
<meta name="FORMATTER" content="Arachnophilia 4.0">
</head>

<body bgcolor="#ffffff" text="#000000" link="#0000ff" vlink="#800080" alink="#ff0000">
<?
$userid=mysql_real_escape_string($userid);
$password=mysql_real_escape_string($password);

if($rec=mysql_fetch_array(mysql_query("SELECT * FROM plus_signup WHERE userid='$userid' AND password = '$password'"))){
	if(($rec['userid']==$userid)&&($rec['password']==$password)){
	 include "include/newsession.php";
            echo "<p class=data> <center>Successfully,Logged in<br><br><a href='logout.php'> Log OUT </a><br><br><a href=welcome.php>Click here if your browser is not redirecting automatically or you don't want to wait.</a><br></center>";
     print "<script>";
       print " self.location='welcome.php';"; // Comment this line if you don't want to redirect
          print "</script>";

				} 
		}	
	else {

		session_unset();
echo "<font face='Verdana' size='2' color=red>Wrong Login. Use your correct  Userid and Password and Try <br><center><input type='button' value='Retry' onClick='history.go(-1)'></center>";
			}
?>

</body>

</html>
And This is the welcome.php file..........

Code: Select all

<?

include "include/session.php";
?>
<!doctype html public "-//w3c//dtd html 3.2//en">

<html>

<head>
<title>(Type a title for your page here)</title>

<meta name="GENERATOR" content="Arachnophilia 4.0">
<meta name="FORMATTER" content="Arachnophilia 4.0">
</head>

<body bgcolor="#ffffff" text="#000000" link="#0000ff" vlink="#800080" alink="#ff0000">
<?

echo "<center><font face='Verdana' size='2' >Welcome userid=$session[userid]<br><br>You must see your userid here (above) <br><br><br>Click <a href=logout.php>here to logout</a><br></center></font>";

?>

</body>

</html>

Everah | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Z3RO21
Forum Contributor
Posts: 130
Joined: Thu Aug 17, 2006 8:59 am

Post by Z3RO21 »

This script uses a lot of depreciated syntax (ie session_register()), this script also uses registered globals in the newsession.php script. It is also seems to be using plain text passwords in the database. Sorry I cannot elaborate on these issues more, but I am sure I have seen other topics that covers this. Good luck
Post Reply