safe login

dvwhi

hi i know that there are lots of things on here about logins but i dont under stand them i am currently using this code and people say that it is not safe so i was woundering if you can tell me where im going ronge?

loging in

<?
include("database.php");

$myusername = $_POST ['myusername'];
$mypassword = $_POST ['mypassword'];

$sql = "SELECT * FROM users WHERE username='$myusername' and password='$mypassword'";
$result = mysql_query($sql);

$count = mysql_num_rows($result);
if ($count==1) {
session_register("myusername");
session_register("mypassword");
header("location:index2.php");
}
else {
echo "WRONG USERNAME OR PASSWORD";}

$_SESSION['myusername'] = $myusername

?>

Database include

<?

$host = "localhost";
$username = "foo";
$password = "bar";
$db_name = "baz";

mysql_connect($host, $username, $password) or die (mysql_error());
mysql_select_db($db_name) or die(mysql_error());


?>

dagon

your storing your passwords in the db raw, you should hash and salt it
your running your variables from the login form against the db raw, you should sanitise them
your posting your db credentials to a public forum

there's a start

Weedpacket

dagon wrote:
your posting your db credentials to a public forum

Not any more 🙂

drwhi wrote:
hi i know that there are lots of things on here about logins but i dont under stand them i am currently using this code and people say that it is not safe so i was woundering if you can tell me where im going ronge?

You're mixing $_SESSION and session_register(). session_register() would only work if register_globals is turned on. Having register_globals turned on is a bad thing.

You should exit(); after using header("Location:");

On a live site you should not die(mysql_error()). You should provide a proper error page that doesn't reveal details of the inner workings of your database.

You misspell "don't", "understand", "wondering", "I'm", "wrong", and "I" four times 🙂

dvwhi

so can anyone tell me what code I need for it?

dagon

dvwhi;10905122 wrote:
so can anyone tell me what code I need for it?

there's more tutorials on google for login scripts than (hot diners euphemism)