Login security
Posted: Mon May 28, 2007 4:31 am
Hi all
I'm worried about login security of my script, so I'm asking if somebody could check code and give me some advices on security
Here is code:
regards
I'm worried about login security of my script, so I'm asking if somebody could check code and give me some advices on security
Here is code:
Code: Select all
<?
session_start();
function filter($string)
{
if (!$conn)
{
include("../con_db.php");
}
$forbiden=array("SELECT", "DELETE", "UPDATE", "INSERT", "insert", " or ", " OR ", "select", "delete", "update", "{", "}", "[", "]", "(", ")", "&", "#", "$", "!", "=", "%");
$change = "";
$filtered = str_replace($forbiden, $change, $string);
return mysql_real_escape_string($filtered);
}
?>
<?
if(isset($_POST['prihvati']))
{
if(isset($_SESSION['nastavnik']))
{
$nastavnik = $_SESSION['nastavnik'] ;
}
if((isset($_POST['nastavnik'])) and (isset($_POST['lozinka'])))
{
$kor_ime = filter($_POST['nastavnik']);
$loz = filter($_POST['lozinka']);
$lozinka = md5($loz);
include("../admin/con_db.php");
$sel = "SELECT * FROM nastavnici where email = '$kor_ime' and lozinka_md5 = '$lozinka'";
$quer = mysql_query($sel);
$row = mysql_fetch_array($quer);
$nastavnik = $_SESSION['nastavnik'] = $row["id"];
$nivo = $_SESSION['nivo'] = $row["nivo"];
$Ime = utf8_decode(stripslashes($row["ime"]));
$Prezime = utf8_decode(stripslashes($row["prezime"]));
}
if(isset($nastavnik))
{
include("../admin/con_db.php");
$sel = "SELECT * FROM nastavnici where id='$nastavnik'";
$quer = mysql_query($sel);
$row = mysql_fetch_array($quer);
$nastavnik = $_SESSION['nastavnik'] = $row["id"];
$nivo = $_SESSION['nivo'] = $row["nivo"];
$Ime = utf8_decode(stripslashes($row["ime"]));
$Prezime = utf8_decode(stripslashes($row["prezime"]));
}
if(empty($nastavnik))
{
echo "<br>";
echo "Došlo je do greške u autorizaciji korisnika.";
echo "<br>";
echo "Postoji mogućnost nekoliko grešaka.";
echo "<br><br>";
echo "<li>korisničko ime ili lozinka koju ste upisali ne nalazi se u bazi podataka, ili je pogrešno upisana.</li>";
echo "<br><br>";
echo "<li>razlika je u velikim/malim slovima u lozinci.</li></ul>";
echo "<br>";
echo "<br>";
print "Molim probajte <a href='index.php'>ponovo</a>";
session_destroy();
}
else
{
echo "Dobrodošli " . $Ime . " " . $Prezime;
echo "<br>\n" . "<br>\n" . "PriÄŤekajte trenutak ..........";
echo "<meta http-equiv=\"refresh\" content=\"1;URL='main.php'\">\n";
}
}
?>