[php] My login script

[Pieman]

I thought I'd share this, as it may be handy for some people. As far as I can tell, it's protected against most common forms of hacking, sql injection, cookie theft. Etc.

For the mysql table use this:

Code:

CREATE TABLE `user` (
`username` VARCHAR( 255 ) NOT NULL ,
`password` VARCHAR( 255 ) NOT NULL
) TYPE = MYISAM ;

login.php:

PHP Code:

<?php
$host = "localhost";
$user = "***";
$pass = "***";

if(!isset($_SESSION['uname']) && !isset($_SESSION['passw'])) {
    
if(!isset($_POST['submit'])) {
?>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
Username: <input type="text" name="uname">
<br/> 
Password: <input type="password" name="passw">
<input type="submit" name="submit" value="submit">
</form>
<?php
} else {
    $uname = sha1(md5($_POST['uname']));
    $passw = sha1(md5($_POST['passw']));
    
    $connection = mysql_connect($host, $user, $pass) or die ('Could not connect');

    mysql_select_db($user);
    
    $query = "SELECT * FROM login WHERE username = '$uname' AND password = '$passw'";

    $result = mysql_query($query) or die (mysql_error());
    
    if(mysql_num_rows($result) < 1) {
    
    echo "Access denied.";

    } else {
        $_SESSION['uname'] = "$uname";
        $_SESSION['passw'] = "$passw";
        
        //Rest of your script here.
        echo "You are now logged in.";
        }
    }
} else {
        $uname = $_SESSION['uname'];
        $passw = $_SESSION['passw'];
        
        $connection = mysql_connect($host, $user, $pass) or die ('Could not connect');

        mysql_select_db($user);
            
        $query = "SELECT * FROM login WHERE username = '$uname' AND password = '$passw'";

        $result = mysql_query($query) or die (mysql_error());
    
        if(mysql_num_rows($result) < 1) {
    
        echo "There seems to be an error with your cookies and/or sessions. Please clear them and try again.";

        } else {
                //Rest of your script here.
                 echo "You were already logged in.";
                      }
                  
}    
?>

Put your web page in this script to make it visible for logged in members only.

PHP Code:

<?php
if (!isset($_SESSION['uname']) && isset ($_SESSION['passw'])) {
    include("login.php");
} else {
    $host = "localhost";
    $user = "***";
    $pass = "***";
    $db = "***";
    $connect = mysql_connect($host, $user, $pass);
    
    mysql_select_db($db);
    
    $uname = $_SESSION['uname'];
    $passw = $_SESSION['passw'];
    
    $query = "SELECT * FROM login WHERE username = '$uname' AND password = '$passw'";
    
    $result = mysql_query($query);
    
    if (mysql_num_rows($result) < 1) {
        include("login.php"); 
    }else {
//Your web page here.
        echo "You were already logged in.";
    }
}

This is all 100% made by me.
I haven't made a register page for this, as I will be the only one who has access to the restricted area on my site. So There is no need for registering. But if anyone wants a register page, I'd be happy to write it for you.

[MentaL]

[Daevius]

Hmm yeah, if you encrypt the input you dont have to check it for sql injection ;).

However, how are you going to display the users name? Perhaps with another column called 'Display name'...than you have UN and PW that are unknown for hackers, which is MUCH safer :) indeed ;).

I will probably make these pre-made scripts and put them on my site...good idea ;)

[Pieman]

Well as I said, I'm only going to use it so my admin area is secure. But yeah, if I'm ever going to use a member system, I'll just add a display name column.

[hatlevn]

Good work, maybe you should make some options via the control panel or what ever so you can edit all the stuff.

[Pieman]

Ye, I'm coding an admin panel at the moment. And it will allow me to do pretty much everything i want. Like adding new user, Etc.