help me improve my login script please

paulj000 · #1 (**permalink**) 08-11-03, 04:11 AM

Hi,

I have made a working login script that checks stuff against a database and then redirects to the appropriate subdirectory if there is a username/password match. If match is found then session variable for the specific subdirectory is set and is continuously checked each time a protected page is requested later and checked again for a match or the user is kicked out.

I had a real hard time making this and I am sure there are ways to improve what I have. This is how I need your help.

Here is the login page code and the processing page (proc.php) code:

Code:

CONTENTS OF INDEX.HTML=========

<form action="proc.php" method="post">
<input type="text" class="input" name="username">
<input type="password" class="input" name="password"">
<input type="submit" class="send" value="L O G I N">
</form>

PHP Code:


			
CONTENTS OF PROC.PHP===========

<?

session_start();

$username = $_POST['username'];

$password = $_POST['password'];

include ("dbconnect.php");// supplies credentials to connect to Database





$sql = "SELECT * FROM logins ";

$sql .= "WHERE user='".$username."';";



$result = mysql_query($sql);

$line = mysql_fetch_array($result, MYSQL_NUM);



$directory = $line[2];

session_register('directory');// this is needed later to look up the validation in DB on each protected page





if ($username == "") { 

header ("Location: index.html"); 

}

if ($password == "") { 

header ("Location: index.html"); 

}



if ($username == $line[0] && $password == $line[1]) { 

    echo '

    <html>

    <head>

    <meta http-equiv="refresh" content="0;URL='.$directory.'">

    </head>

    <body>

    <center>

    

    <h4>Logging In</h4>

    

    <p>please wait...</p>

    

    <center>

    </body>

    </html>

    '; 

}

else { header ("Location: index.html"); }

?>

For starters is this a decent vailidation for initial access checking? Are there slicker ways of doing it?

Thanks - paul

kickinhard007 · #2 (**permalink**) 08-11-03, 08:06 AM

i wouldn't use...
if ($username == "") {
header ("Location: index.html");
}
if ($password == "") {
header ("Location: index.html");
}

do it another way, like...

if ($username == "" & $password =="") {
header ("Location: index.html");
}

paulj000 · #3 (**permalink**) 08-12-03, 05:26 PM

Thank you,

That streamlined my code a bit and works just dandy.

kickinhard007 · #4 (**permalink**) 08-13-03, 03:42 AM

i think the '&' needs to be '&&', on reflection :-)

glad to help.

evo4ever · #5 (**permalink**) 08-14-03, 10:54 PM

I'd do some username validation as well. You've gotta test if the user actually exists in the database. The code which tests the username and password against two db rows for equality is checking if the user exisits yeh? If so, this would be better:

PHP Code:


			
// Using your $result var.



$found_user = @mysql_num_rows($result);



if($found_user > 0){

// do session and header stuff

}

else {

// print a "user not found" error.

}

PS: If your not encrypting your passwords in the db then you should.

PHP Code:


			
// Encrypt the password before it goes in the db:



$password = md5($_POST["password"]); /* you can use crypt() as an alternative. */



// This line of code would be used in the registration script.

webscript · #6 (**permalink**) 08-15-03, 03:51 AM

I use an ASP.NET login system.

I built it myself.

It has these features.

- User Levels (member, vip, admin)
- Database to store usernames and enrypted passwords
- Cookies to start 'session'
- Every page checks cookie for access

- Fully working admin
--- Delete Users
--- Edit Users
--- Only admin level members get access admin
--- Ability to deactivate users

- Internal Message Service (i am still finishing this)

evo4ever · #7 (**permalink**) 08-15-03, 12:58 PM

Correct me if im wrong but this is a PHP board. Not an ASP.NET board. The guy wanted his login script improved by ppl posting some script examples. You failed to do so, you're just explaining what yours can do.

evo4ever · #8 (**permalink**) 08-15-03, 01:07 PM

Webscript, a small note... Your Admin system failed to retrieve my IP address. It's displaying in incorrect one.

My IP: 81.76.151.55
My ISP IP: 195.92.168.35

Your system is displaying: 195.92.168.167

I think this issue needs considering.

YourPHPPro · #9 (**permalink**) 08-15-03, 06:37 PM

Quote:

$username = $_POST['username'];
$password = $_POST['password'];

include ("dbconnect.php");// supplies credentials to connect to Database

$sql = "SELECT * FROM logins ";
$sql .= "WHERE user='".$username."';";

Also, you would need to do some checking on the 'username'. It is not a good idea to query user supplied information from a DB without checking it.

One way to do it would be something like this:

Quote:

$SQL = "SELECT Users_ID, Users_Access FROM users WHERE Users_Name=" . Custom_StripText($login) . " AND Users_Password=" . Custom_StripText($password);
$db->query($SQL);
$Result = $db->next_record();
if($Result) {
SetSession("UserID", $Result("Users_ID"));
SetSession("UserLogin", $login);
SetSession("UserPassword", $password);
SetSession("AccessLevel", $Result("Users_Access"));
}