Login confirmation help.

lszanto

I am new to MySQL and I am in the middle of building a website for which I need a login and I am using mysql to store the users as it makes it easier for me to register accounts. I have the registration file done but I am having some problems with the login file. Basicly I need some sort of confirmation so I know that they have logged in with a correct password and user name. Any help is appreicated and the code is below.

<?php 

$username=$_POST['username'];
$password=$_POST['password'];
$allow="allow";

mysql_connect("localhost", "root") or die(mysql_error());
mysql_select_db("project") or die(mysql_error());

echo "connected<br />";

$conn=mysql_connect("localhost", "root") or die(mysql_error());

$searchusr="SELECT user_name, user_pass " .
"FROM userinfo " .
"WHERE user_name='" . $username . "' " .
"AND user_pass='" . $password . "'";


$result = mysql_query($searchusr) or
die("There was an error: " . mysql_error());
if($result) {
	setcookie("permission", $allow, time()+3600);
	setcookie("user", $username, time()+3600);
	$permission="allow";
}

echo "stuff set<br />";

if ($permission=="allow") {
?>
<html>
<head>
<title>Project.</title>
<link rel="stylesheet" href="stylesheets/loginstyle.css" type="text/css" />
</head>

<body>

Welcome <?php echo $username; ?> to the site, you may now enter and access all pages on our website without hassle.<br />
<a href="pages/main.php" target="_self">Enter</a>.

</body>
</html>
<?php } else { ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>Project Login.</title>
<link rel="stylesheet" href="stylesheets/loginstyle.css" type="text/css" />
</head>

<body style=" margin: 15%; ">

You have not been logged in, plese click <a href="index.php" >back</a> and try again.

</body>
</html>
<?php } ?>

zabmilenko

Start with wrapping the fields in your query like so:

$searchusr="SELECT user_name, user_pass " .
"FROM userinfo " .
"WHERE user_name='" . mysql_real_escape_string(substr($username,0,128)) . "' " .
"AND user_pass='" . mysql_real_escape_string(substr($password,0,128)) . "'";

Never ever ever pass unchecked variables into a database query. It's too easy for someone to set there username to this:

"; update userinfo set password = 'whateverIwant' where username = "admin

and then just totally trash your stuff. All an attacker would need is 5 minutes and a list of usernames to pull a very clean takeover.

Besides that, what do you think is wrong with it?

lszanto

I don't really mind that its easy hackable as its just for me and a few friends and if you want to get in all you have to do is register but the problem is no matter what username/password combo I enter it lets me in as there is no confirmation of the username/password and I just need help with that.

zabmilenko

$result = mysql_query($searchusr);
if ($result) ....

is fairly lenient. Try:

if (mysql_num_rows($result) > 0) ...

rincewind456

The only way that script will work is if you have register globals set to on, which is another security hole.

If as you say you don't mind that it's hackable then why bother with a login script?

zabmilenko

I don't see how he'd need register_globals...

But a second look shows he's wide open to cookie spoofing as well.

I don't recommend you tell anyone the url to this page...