Login script is not safe, need help pls.

Cooler75

hello all,
is it normal when someone can log in just by typing the variables in the URL:

www.example.com/login.php?seller=cooler&password=secret

I have a login script that I can just type in something as above to the URL and I would be able to login.

Can someone point me to the right direction on this?

here is my login script:

 function loginCheck()
     {
     global $current_user, $sellername, $sellerpassword, $sql, $result, $seller;
     if ($current_user == "" AND $sellername == "")
   {
   //display form here
   }
   elseif ($sellername != "" OR $current_user != "")
   {
   global $current_user, $sellername, $sellerpassword, $sql, $result, $seller;
   $sql = "SELECT * FROM sellers WHERE seller='$sellername' and sellerpass = PASSWORD('$sellerpassword')";
   $result = mysql_query($sql)
   or die("Couldn't execute query.");
   $num = mysql_numrows($result);

   if ($num == 1) {
       global $current_user, $sellername, $sellerpassword, $sql, $result, $seller;
            session_register("sellername");
            session_register("sellerpassword");
   } else if ($num == 0)
   {
   //Sorry, password is wrong, cannot log in.
   }
   }
   }

your help is greatly appreciated, thank you.

toma42

Yea, that's normal. You're using register_globals = on so your $_REQUEST combines get and post. If you want a more secure way to pass passwords, try this:

http://pajhome.org.uk/crypt/md5/chaplogin.html

mcgruff

Maybe this is just a learning project you're working on but, if you are running a live site where money changes hands and register globals are on, shut it down immediately until you've learned how to code securely.

Sorry to be so blunt but wouldn't be doing you any favours if I wasn't.

Mordecai

Don't global it! That's going to get the $GET value, as well. You just want to use $POST.
$_POST["fieldname"], rather than global $fieldname.