A good secure login script

Red Hap · 03-12-2003, 07:22 PM

A good Lgin script that I made..It might helpful to some Hosting companies.
<?

$dbusername = "username";
$dbpassword = "password";
$db_name = "database";

// This is the page to show when the user has been logged out

// Page with login form
$login_page = "loginpage";

// Page to show if the user enters an invalid login name or password
$invalidlogin_page = "invalid login page";

//DON'T EDIT ANYTHING BELOW THIS!!!

if ($action == "logout")
{
Setcookie("loginpass","",time() -86400);
Setcookie("loginuser","",time() - 86400);
include($login_page);
exit;
}
else if ($action == "login")
{
if (($username == "") || ($password == ""))
{
include($invalidlogin_page);
exit;
}
else {
//connect
mysql_connect( "localhost", "$dbusername", "$dbpassword") or die( "Unable to connect to server!");
mysql_select_db( "$db_name") or die( "Unable to select database");

//some select queries for registering global variables and verifying user
$query = "SELECT member_id, username, password, status FROM users where username='$username'";
$insert = MYSQL_QUERY($query);
$number = MYSQL_NUMROWS($insert);

if($number != 0) {

$i = 0;
$member_id = mysql_result($insert,$i,"member_id");
$user_db = mysql_result($insert,$i,"username");
$password_db = mysql_result($insert,$i,"password");
$status = mysql_result($insert,$i,"status");

if ($password == $password_db) {
$validuser = "true";
}}
}

}
else
{
if (($HTTP_COOKIE_VARS["loginpass"] == "") || ($HTTP_COOKIE_VARS["loginuser"] == ""))
{
include($login_page);
exit;
}
else if (($HTTP_COOKIE_VARS["loginpass"] != "") || ($HTTP_COOKIE_VARS["loginuser"] != ""))
{
$username = $HTTP_COOKIE_VARS["loginuser"];
$password = $HTTP_COOKIE_VARS["loginpass"];
//connect
mysql_connect( "localhost", "$dbusername", "$dbpassword") or die( "Unable to connect to server!");
mysql_select_db( "$db_name") or die( "Unable to select database");

//some select queries for registering global variables and verifying user
$query = "SELECT member_id, username, password, status FROM users where username='$username'";
$insert = MYSQL_QUERY($query);
$number = MYSQL_NUMROWS($insert);

if($number != 0) {

$i = 0;
$member_id = mysql_result($insert,$i,"member_id");
$user_db = mysql_result($insert,$i,"username");
$password_db = mysql_result($insert,$i,"password");
$status = mysql_result($insert,$i,"status");

if ($password == $password_db) {
$validuser = "true";
}}
}
else
{
include($invalidlogin_page);
exit;
}
}
if ($validuser == "true")
{
Setcookie("loginpass",$password,time() + 86400);
Setcookie("loginuser",$username,time() + 86400);
}
else
{
include($invalidlogin_page);
exit;
}
?>

eHostSpace · 03-13-2003, 04:02 AM

do a http login

XKR · 03-13-2003, 09:46 AM

Good, but fairly basic. Not really all that secure, you don't even use md5() stuff.

BTW, This:

if (($username == "") || ($password == ""))

Is more efficiently typed like this:

if (!$username || !$password)

Adding a "!" before a variable name states that it doesn't exist.

Thread Tools

Rate This Thread

Bookmarks

Use the Right PDU for the Job

Thread: A good secure login script

Thread Tools

Rate This Thread

Bookmarks

Bookmarks

Posting Permissions

Use the Right PDU for the Job