New Posts  All Forums:Forum Nav:

PHP/HTML Help

post #1 of 2
Thread Starter 
I am currently trying to create a "sign in" page for our website and am having a hard time with the php code for checking username/password, and the redirect section if the username/password is correct. Any help would be much appreciated.[CODE "http://www.3org/TR/xhtml1/DTD/xhtml1-transitional.dtd">



$username = "username";
$password = "password"
$hostname = "hosting";

$dbhandle = mysql_connect($hostname, $username, $password)
or die("Unable to connect to MySQL");
echo "Connected to MySQL
";

$selected = mysql_select_db("database", $dbhandle)
or die("Could not select database");
mysql_close($dbhandle);

function Login()
{
if(empty($_POST))
{ $this->HandleError("UserName is empty!");
return false;
}

if(empty($_POST))
{ $this->HandleError("Password is empty!");
return false;
}
$username = trim($_POST);
$password = trim($_POST);

if(!$this->CheckLoginInDB($username,$password))
{
return false;
}

session_start();

$_SESSION[$this->GetLoginSessionVar()] = $username;
return true;
}


function CheckLoginDB($username,$password)
{
if(!$this->DBLogin())
{
$this->HandleError("Database login failed!");
return false;
}

$username = $this ->SanitizeForSQL($username);
$pwdmd5 = md5($password);
$qry = "Select username, password from $this -->login ".
" where username='$username' and password='$pwdmd5' ".
" and confirmcode='y'";

$result = mysql_query($qry,$this->connection);

if(!$result || mysql_num_rows($result) {
$this->HandleError("Error logging in. ".
"The username or password does not match");
return false;
}
return true;
}


//REDIRECT SECTION?
http_redirect("http://fpm.basicresourcesinc.com");

?>








Flux Price Matrix





Username

Password





][/code]
post #2 of 2
if it's just for a private area on an otherwise static HTML site, then you'd be better off with basic HTTP auth.

However if you need to store the passwords in your database then don't use MD5 - that's as good as having your passwords unencrypted. You need to bcrypt a SHA-512 hash and to add your own salt. There's plenty of guides for bcrypt in PHP online smile.gif

Also, if users are known before hand (eg like on messageboards, you can see peoples user name without logging in - just be reading the public threads), then you might as well just tell people that the password doesn't match. I know it's standard practice to give a vauge "username or password does not match", but in those instances, attackers would already know whether the username is valid and people who have forgotten their login wouldn't know which value is correct. So you're adding complexity for legitimate users without adding any security against attacks.
Edited by Plan9 - 6/13/13 at 2:05am
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Web Coding