user login/validation script
Posted: Wed Sep 26, 2007 3:56 pm
I cobled together a simple user validation/login script using a mySQL database and PHP sessions. I seem to work OK but I'm not sure that it is as secure/safe or fast as it can be. It seems a bit slower in Firefox than IE. Comments welcome.
Include2.php contains the following code...
Code: Select all
<?php
session_start();
$logoff = (empty($_REQUEST["logoff"])) ? "" : $_REQUEST["logoff"] ;
$userName = (empty($_REQUEST["userName"])) ? "" : $_REQUEST["userName"] ;
$userPassword = (empty($_REQUEST["userPassword"])) ? "" : $_REQUEST["userPassword"] ;
$userSession = (empty($_SESSION["userSession"])) ? "" : $_SESSION["userSession"] ;
$message = "";
// set error reporting
error_reporting(E_ALL);
ini_set('display_errors', 1);
// user makes attempt to login
if ( $userName <> '' && $userPassword <> '')
{
$valid_user = fnValidateUser($userName,$userPassword);
if ($valid_user==1)
{
$_SESSION['userSession'] = $userName;
$_REQUEST["userName"] ='';
$userSession = $userName;
$message = '';
}
else
{
$_SESSION['userSession'] = '';
$_REQUEST["userName"] ='';
$_REQUEST["logoff"] ='';
$userSession = '';
$message = 'Username/password incorrect';
}
}
// show login screen if logout requested or not currently logged in
if ($logoff == 'Y' || $userSession == '')
{
if ($userSession <> '')
{
session_destroy();
$userSession ='';
$_SESSION["userSession"] ='';
}
$_REQUEST["logoff"] ='';
$_REQUEST["userName"] ='';
fnGetlogin($message);
}
// successfully signed in
if ($userSession <> '')
{
echo $userSession . ' is logged in <br>';
echo "<a href = 'secure3.php?logoff=Y' >logoff</a> ";
echo "<a href = 'secure4.php' >another page</a>";
}
// show login screen
function fnGetlogin($message)
{
echo "<p align='center'><font color=red>" . $message . "</font></p>";
echo <<<EOT
<form action="secure3.php" method="post">
<p align="center">Please login to access this document.</p>
<table align="center" border="0">
<tr>
<th>
Username:
</th>
<th>
<input type="text" name="userName">
</th>
</tr>
<tr>
<th>
Password:
</th>
<th>
<input type="password" name="userPassword">
</th>
</tr>
<tr>
<th colspan="2" align="right">
<input type="submit" value="Login">
</form>
</th>
</tr>
</table>
</body>
</html>
EOT;
}
// function to validate username & password against SQL database
function fnValidateUser($userName,$userPassword)
{
// get database parameters
include_once("include2.php");
//echo $userName . $userPassword. '<br><br><br><br>';
$db = mysql_connect($host, $user, $password) or die("Could not connect.");
if(!$db)
die("no db");
if(!mysql_select_db($database,$db))
die("No database selected.");
$sql = mysql_query("SELECT password FROM member WHERE username = '$userName'");
$fetch_em = mysql_fetch_array($sql);
$numrows = mysql_num_rows($sql);
if($numrows != "0" & $userPassword == $fetch_em["password"])
{
$valid_user = 1;
}
else
{
$valid_user = 0;
}
return $valid_user;
}
?>Code: Select all
<?php
if ($_SERVER['DOCUMENT_ROOT'] =='/var/www/html')
{
$host = 'localhost' ;
$user = 'xxx' ;
$password = "xxx" ;
$database = "xxx" ;
$file1 = "xxxx" ;
}
// test server
if ($_SERVER['DOCUMENT_ROOT'] == 'C:/xampp/htdocs')
{
$host = 'localhost' ;
$user = 'xxx' ;
$password = "xxx" ;
$database = "xxx" ;
$file1 = "xxxx" ;
}
$LF = chr(13) . chr(10) ;
$quote = "'";
$q = "'";
$dq = "\"";
$comma = ", ";
$db = mysql_connect($host, $user, $password) or die("Could not connect.");
if(!$db)
die("no db");
if(!mysql_select_db($database,$db))
die("No database selected.");
if(!get_magic_quotes_gpc())
{
$_GET = array_map('mysql_real_escape_string', $_GET);
$_POST = array_map('mysql_real_escape_string', $_POST);
$_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
}
else
{
$_GET = array_map('stripslashes', $_GET);
$_POST = array_map('stripslashes', $_POST);
$_COOKIE = array_map('stripslashes', $_COOKIE);
$_GET = array_map('mysql_real_escape_string', $_GET);
$_POST = array_map('mysql_real_escape_string', $_POST);
$_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
}
?>