Password Protected Pages - How to Increase Security

transfield

Hello,
My situation:-
I have a login page which requires a username & password to log in. I am concerned that someone is trying to hack into this page & would like to know how to increase my security features.

Explanation on the functions of my login page:-
It requires the customer to enter his username & password, agree to the terms & conditions and hit the submit button. The customer's username & password is stored in a MySql database. Upon a successful log in, the date, time & customers email address is captured as a log file & sent to me via email everyday. The full code is displayed below.

<?php
session_start();
$username="abc123";
$password="abc123";
$database="abc123";
$host="localhost";
$pass=$_POST['pass'];
$user=$_POST['user'];
$r1 = $_POST['R1']; //this is a radio button to remember the customer's password(set a cookie)
$r2 = $_POST['R2']; //this is a radio button to force the customer to select "I Agree'(terms & conditions) 

mysql_connect ("$host","$username","$password");
mysql_select_db($database) or die( "Where's the database man?");
$query = "SELECT * FROM customers WHERE username = '$user' AND password = '$pass'";

//The next 5 lines determines whether the customer subscription has expired or not
$hetke_now = mysql_query("SELECT NOW()");
$hetke_kuup_now= mysql_fetch_row($hetke_now);
$deit = mysql_query("SELECT expiry FROM customers WHERE username = '$user' AND password = '$pass' AND active ='ENABLED'");
$deitexp = mysql_fetch_row($deit);
if($deitexp[0]== $hetke_kuup_now[0] || $deitexp[0]< $hetke_kuup_now[0]) die('Wrong username / password or your membership has probably expired.');

$result = mysql_query($query);
if ($r2=='V2') // If customer selects the 'I Agree' radio button
{
	if ($r1=='V1') // If customer wants his password to be remembered via a cookie
	{
	setcookie(robert, date("G:i - m/d/y"), time()+86400); 
	}
$_SESSION['passwordprotect'] = mysql_result($result,0,"email");
$mysql_result = mysql_result($result,0,"email");
$mktime = date('l dS \of F Y h:i:s A');
$query2=("INSERT INTO logs (timenow, email) VALUES ('$mktime','$mysql_result')"); // Capture the customer's email address and date & time of login.
$result2=mysql_query($query2);
header('Location:query_form1.php');
}
else
{
$_SESSION['termswrong'] = 1;
header('Location:login1.php');
} 
?>

What makes me suspect hacking activities:-
The normal log file I receive would look like this.

dgr@pd.jaring.my; Wednesday 19th of April 2006 08:30:33 PM
dgr@pd.jaring.my; Thursday 20th of April 2006 08:39:16 AM

The log file I received today looks like this.

; Saturday 22nd of April 2006 12:15:22 PM
; Saturday 22nd of April 2006 12:15:54 PM
; Saturday 22nd of April 2006 12:16:02 PM
; Saturday 22nd of April 2006 12:16:04 PM
; Saturday 22nd of April 2006 12:17:57 PM

I would like to know why wasn't this person's email address captured by my code?
The field size for the customer's email address in the logs table is set for 35 characters which is more than enough to capture the longest email address.

Houdini

Not necessarily
12345678901234567890123456789012345
robertj_milller@millerpianosales.somehost.com (37) I have one that is even longer myself, you might want to check your users email addys and see if in fact there are not some with longer addresses. It is no big deal to allow for 50 characters in your email field, believe it or not it is possible that some people have long email addresses that exceed 35 characters

transfield

Thanks for your reply, Houdini. At present, the longest email address of my customer is 28 characters. As such, it does not explain the mysterious log file. Nevertheless, acting on your advice, I will certainly increase the field size slightly to cater for future long emails.

I appreciate your reply.