login...

bike5

Let me know what I can do to make it better. Thanks.

<?
@session_start();
//Display error on max login attempts
if($_SESSION['fail_count']>4)die('If you lost your password, 
you can submit a request to change your password in the form.');
//Verify submit button was pressed with intent to login
if(isset($_POST['sent']) == "true" && 
isset($_POST['login_name']) != '' && isset($_POST['login_password']) != '')/* Verifies that the submit button was pushed */
{
@require('include/user_cnt.php')or die('Error: 505, please report in form');
$pass = md5($_POST['login_password']);
//clean user input
$name = htmlspecialchars(strip_tags(trim($_POST['login_name']),''),ENT_QUOTES);
//check to see if there are any matches
$Result = mysql_query("SELECT user_id FROM rpg_user WHERE user_char_name='$name' AND 
user_password='$pass' LIMIT 1") or die(mysql_error());
$count= mysql_num_rows($Result);
if($count>0)
{
//update the current time
$time = date("U");
mysql_query("UPDATE rpg_user SET user_time_now = '$time' WHERE user_char_name='$name' AND 
user_password='$pass' LIMIT 1") or die(mysql_error()); 
//send to check activity of account
header("Location: login_vf.php?name=$name");
die();
} else {
//add 1 to login failuers
$_SESSION['fail_count']++;
echo'Login name AND/OR password was incorrect, please try again.<br>
Failed Attempts: '.$_SESSION['fail_count'].'<br>
You are only allowed 5 attempts';
//sets variable to reload the login form
$try_again = true;
}
}
?><html>
....... login form

drag0n

add some sql injection protection 🙂

bike5

How would I do that. Could you point me to another post or article and explain how so I can read over it please. Thanks.

Do you mean addslashes? So..

$name = htmlspecialchars(strip_tags(trim(addslashes($_POST['login_name'])),''),ENT_QUOTES);

drag0n

keywords such as: SELECT *, INSERT, etc

lilleman

The best way to protect yourself from SQL injections is to use [man]mysql_escape_string/man to escape characters that MySQL consider special.

-- lilleman

bike5

I made a badwords array and loop through it deleting out any matching which is working nice.

I tried mysql_escape_string and in the example on php.net, inserting a ' should produce \'
but when I typed in "test's" it outputted test\\'s .
How come it is taking " ' " and outputing " \\' " instead of just " \' "?

lilleman

Maybe you're using both addslashes() and mysql_escape_string() by mistake?

-- lilleman

bike5

I am using that but I commented out all my other formatting so it shouldn't be running the addslashes. Is there a list of what exactly mysql_escape_string() does. Because if that is going to mess up with addslashes, will leaving out one or the other effect anything because mabey one also does something that the other doesn't?

I mean should I take the addslashes out and just use mysql_escape_string() or keep add slashes and forget mysql_escape_string()?

mrhappiness

$text = get_magic_quotes_gpc() ? stripslashes($text) : $text;
$text = mysql_escape_string($text);

bike5

Thank you. So now I have:

$name = get_magic_quotes_gpc() ? stripslashes($name) : $name;
$name = mysql_escape_string($name);
$name = htmlspecialchars(strip_tags(trim($_POST['login_name']),''),ENT_QUOTES);
/*it also runs through and takes out
'select','insert','drop','update',';','\*','query',

'<','>','-','!' along with a list of curse words ;)*/

Is there anything else I should add / edit / delete?
Or does that look good to strip out any harmful input.

Thanks again.

mrhappiness

$name = get_magic_quotes_gpc() ? stripslashes($name) : $name;
$name = mysql_escape_string(htmlentities($name));

should be enough

maybe you should look for multiple commands joined together with ; but i don't see anything more todo