PHP - How Can I Make My Login Script More Secure?

Hey all,
    I'm in the process of developing a PHP login system for the website of a team I'm involved with. I have a MySQL database already set up to hold user data, but I lack the knowledge to create a respectably secure login system. I tend to be a tad obsessive when it comes to security, and seeing different systems being implemented on various tutorials that cover this topic makes me cynical of the integrity of any of them. So, my question is: how can I create a secure login system that isn't too complex in implementation? Are there any reliable tutorials for this? Would some sort of system that uses session variables be what I'm looking for? I don't require excessive security, but privelidges gained if this system is compromised would be no small matter.

Thanks for any help.

I tried Googling them and what not but all I could find was useless stuff that I couldn't get to work, so I thought I would give it a crack at making my own. I don't think its that secure though. Can someone have a geeza over it? I've pretty much made it up from bits and pieces I have seen and researched. Ignore the echoes they were just for testing.

Well the code was working, now it just keeps redirecting me to index. So I dunno what I fucked.

Heres all the code:
Index.php
Code: [Select]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<?php 
include 'functions.php';
Connect();
?>
<form method="post" action="login.php">
<input type="text" name="Username" />
<input type="password" name="Password" />
<input type="hidden" name="ip" value="<?php ipget(); ?>" />
<input type="submit" />
</form>
</body>
</html>
Login.php
<?php
require_once 'standalone\HTMLPurifier.standalone.php';
include "functions.php";
Connect();
$purifier = new HTMLPurifier();
$result = mysql_query("SELECT Username, Password FROM login ") or die(mysql_error());
$sorted = mysql_fetch_array($result);
$name = $purifier->purify(strtolower($_POST['Username']));
$pass = $purifier->purify(md5(strtolower($_POST['Password'])));
$ip = md5($_POST['ip']);
$stamp = date("Ymdhis");

 

if ( $name == $sorted['Username'] ){
Echo "Username Correct";
if ( $pass == $sorted['Password'] ) {
echo "Password is correct";
session_start();
$_SESSION['ip'] = $ip;
$_SESSION['Username'] = $name;
$_SESSION['Password'] = $pass;
setcookie('ip', $ip, time()+3600);
setcookie('name', $name, time()+3600); 
$ipb = $_SERVER['REMOTE_ADDR'];
$orderid = "$stamp-$ipb";
$orderid = str_replace(".", "", "$orderid");
$GUID = md5(orderid);
setcookie('GUID', $GUID, time()+3600);
mysql_query("UPDATE login SET GUID = $GUID WHERE Username = '$name'");
header("location: admin.php");
} else {
echo "password is wrong";
}
} else {
Echo "wrong name";
}

?>


Functions.php
<?php
function connect(){
mysql_connect("localhost", "test", "password") or die(mysql_error());
mysql_select_db("db344475103") or die(mysql_error());
echo "Connected";
}
function ipget(){
$ip = $_SERVER['REMOTE_ADDR'];
echo $ip;
}
function check(){
session_start();
if (md5($_SERVER['REMOTE_ADDR']) == $_SESSION['ip'])
{
if (md5($_SERVER['REMOTE_ADDR']) == $_COOKIE['ip'])
{
if ($_SESSION['Username'] == $_COOKIE['name'])
{
if ($_COOKIE['GUID'] == mysql_query("SELECT GUID FROM login")) {
} else {
header("location: index.php");
session_destroy();
}
} else {
header("location: index.php");
session_destroy();
}
} else {
header("location: index.php");
session_destroy();
}
} else {
header("location: index.php");
session_destroy();
}
}
function clean(){
}
?>

Admin.php
Code: [Select]
<?php
include 'functions.php';
check();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
Admin Area
</body>
</html>
Yeah its a lot of code, probably most of it useless as well knowing me.

The more I look at this code the more i think to myself that there is some kind of security hole in it, but at other times I say that it'll do.   Here's the code in question:   part of my jquery script:

		if ( proceed ) {
			//console.log('All the conditions have been met.');
			var data = $('#registerForm input').serialize(); // Put form data into serialize format:

			/* Save Function by grabbing & sending data to register.php */
			$.post($('#registerForm').attr('action'), data , function(info) {
				console.log(info);
				//$('#result').text(info); // Display the result back when saved: 
			}); // End of Save:
			
		} else {
			console.log('There is a problem somewhere.');
		}

and my php file that the data is sent to:

if (isset($_POST['username'])) {
	$userType = 'public';
	$username = $_POST['username'];
	$realname = $_POST['realname'];
	$email = $_POST['email'];
	$password = password_hash(trim($_POST['password']), PASSWORD_BCRYPT, array("cost" => 15));

	$query = 'INSERT INTO users (userType, username, realname, email, password, dateAdded) VALUES (:userType, :username, :realname, :email, :password, NOW())';
	$stmt = $pdo->prepare($query);

	try 
	{
		$result = $stmt->execute(array(':userType' => $userType, ':username' => $username, ':realname' => $realname, ':email' => $email, ':password' => $password));
		if ($result) {
			echo 'Data Successfully Inserted!'; 
		}
	} 
	catch(PDOException $error) 
	{
		if (substr($error->getCode(), 0, 2) == SQL_CONSTRAINT_VIOLATION) {
			$errorMsg = 'The username already exists.';
		} else {
					throw $error; // some other error happened; just pass it on.	
				}		
			}
			
		}

Basically it takes the data from the registration form, validates it and then sends it to the register.php file to insert the data in the database table. I will be a long time before I go live with this, but I want to make this as secure as I can. An suggestions or help will be greatly appreciated.   Best Regards,       John

This topic has been moved to Miscellaneous.

http://www.phpfreaks.com/forums/index.php?topic=351535.0

I have a little php site that looks up data in my crm database quickly and easily on my iphone.
Right now it's wide open because I'm in and out of it all day and trying to input uid/pw into a secure login page is a pain in the rear. (we're not talking about sensitive data here and I'm the only user.)

So, I would like to design a screen with several large graphic buttons and be able to touch those buttons in a specific sequence that would functionally allow a secure login.

Similar in concept to the android screen lock. You touch a sequence of numbered buttons and voila, the screen unlocks. It does not open a text field for data entry into two separate fields.

So if my access code was 1,2,3,4 and the screen was divided into quarters with a large number on each one, I would touch the buttons in that order and it would open the main page.

How would this best be accomplished? Is there a php function to essentially build a variable through successive key presses? then with a final submit it would just check that against a "secret code" and allow access.

Thanks for any input.   

Hey guys I had created a while ago a script for my friend where you can buy points and then redeem stuff with those points, i'm looking for ways to keep my site secu currently what i have done-

- protected all mysql queries with mysql_real_escape_string, strip_tags, and addslashes
- have a valid SSL certificate on my website
- checked if emails are valid for account creation

what else can I do? Thank you.

Hi Little Help Needed
I have created a new website
In the index.php file i want to show records from database

Now, here is how the problem arise
I want to import codes from github intead of hosting those files on my server because i want to keep it opensource

Below is the code I am using
<?php
// connect to the database
include('connect-db.php');

// get results from database
$sql = "SELECT id, upadhi, name FROM munishri";
$result = $conn->query($sql);

if ($result->num_rows > 0) {
// output data of each row
while($row = $result->fetch_assoc()) {
echo "id: " . $row["id"]. " - Name: " . $row["upadhi"]. " " . $row["name"]. "<br>";
}
} else {
echo "0 results";
}

// close connection
$conn->close();
?>

Can i host the code to show result in another file and use something like
<?php
// connect to the database
include('connect-db.php');

// get results from database
include('http://rawgit.com/th...database.php');
?>

Code: [Select]
<?php
    // Maximum file size for upload
    $maxFileSize = 5242880;
    
    // If file is too large
    if(!empty($_SERVER['CONTENT_LENGTH']) && $_SERVER['CONTENT_LENGTH'] > $maxFileSize)
        echo "File too large";
    else
    {
        if(isset($_POST['submit']))
        {
            // List of acceptable file types
            $whitelist = array(
                "application/vnd.openxmlformats-officedocument.wordprocessingml.document",    // .docx
                "application/msword",                                                        // .doc, .rtf
                "text/plain",
                "image/jpeg",
                "image/gif",
                "image/png",
                "application/pdf",
                "application/octet-stream",                                                    // .rar
                "application/x-zip"                                                            // .zip
            );
            
            // Is uploaded file type in whitelist array
            if(!in_array($_FILES['file_upload']['type'], $whitelist))
                exit("Bad Filetype");
            
            // Don't allow php files
            if(preg_match("/\.php.*$/i", $_FILES['file_upload']['name']))
                exit("We do not allow uploading PHP files\n");
            
            // Move the file
            $uploaddir = '../uploads/';
            $uploadfile = $uploaddir . "[" . time(). "]." . basename($_FILES['file_upload']['name']);
            
            if (move_uploaded_file($_FILES['file_upload']['tmp_name'], $uploadfile))
                exit("File is valid, and was successfully uploaded.\n");
            else
                exit("File uploading failed.\n");
        }
    }
?>
<html>
    <head>
        <title>Upload Test</title>
    </head>
    <body>
        <form action="<?php echo $_SERVER['PHP_SELF']; ?>" enctype="multipart/form-data" method="POST">
            <input type="hidden" name="MAX_FILE_SIZE" value="<?php echo $maxFileSize; ?>" />
            <input type="file" name="file_upload" />
            <input type="submit" name="submit" value="upload" />
            <br />
            <?php echo "(Max: " . number_format($maxFileSize/1048576,0) . " MB)" ?>
        </form>
    </body>
</html>

Hi All,
I am using HTTP Session2 pear module in my project.
My logout code is

HTTP_Session2::set('user_id','');
HTTP_Session2::set('user_type','');
HTTP_Session2::regenerateId(true);
HTTP_Session2::destroy();
pageRedirect("index.php?q=registration/login");
exit;


My Check Login Script is


if(trim(HTTP_Session2::get('user_id'))=='' || trim(HTTP_Session2::get('user_type'))=='') {
        HTTP_Session2::set('user_id','');
HTTP_Session2::set('user_type','');
HTTP_Session2::regenerateId(true);
HTTP_Session2::destroy();
pageRedirect("index.php?q=registration/login");
        exit;
}



problem here is whenever I click on back button after logout then I can see the user homepage, on which I have written "Check Login Script ".

Is there a good solution available ?

Hi guys, sorry for such a newbish question.  Any help would be greatly appreciated.

HTML FORM:
Code: [Select]
<form action="form.php" method="post" onsubmit="return validateForm()" name="form">
<b>First Name:*</b>
<input type="text" name="first_name" size="50" />
<b>Last Name:*</b>
<input type="text" name="last_name" size="50" />
<b>Phone:*</b>
<input type="text" name="phone" size="50" />
<b>Email:*</b>
<input type="text" name="email" size="50" />
<p><b>What is your favorite color?*</b></p>
<p align="left">
<select name="se">
<option value="W">White</option>
<option value="G">Green</option>
<option value="Y">Yellow</option>
</select>
<input type="submit" value="Submit"/>
</form>


FORM.PHP script
Code: [Select]
<?php
$se = $_POST['se'];
$seURL = '';
switch ($se) {
  case 'W':
    $seURL = "http://url1.com";
    break;
  case 'G':
    $seURL = "http://url2.com";
    break;
  case 'O':
    $seURL = "http://url3.com";
    break;
  default:
    $seURL = "";
}
if ($seURL != "") {
/* Redirect browser */
/* make sure nothing is output to the page before this statement */
header("Location: " . $seURL);
}

// get posted data into local variables
$EmailFrom = "noreply@domain.com";                           
$EmailTo = "email@domain.com";                       
$Subject = "Form";                                         
$first_name = Trim(stripslashes($_POST['first_name'])); 
$last_name = Trim(stripslashes($_POST['last_name'])); 
$phone = Trim(stripslashes($_POST['phone'])); 
$email = Trim(stripslashes($_POST['email'])); 

// validation
$validationOK=true;
if (!$validationOK) {
  print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">";
  exit;
}

// prepare email body text
$Body = "";
$Body .= "first_name: ";
$Body .= $first_name;
$Body .= "\n";
$Body .= "last_name: ";
$Body .= $last_name;
$Body .= "\n";
$Body .= "phone: ";
$Body .= $phone;
$Body .= "\n";
$Body .= "email: ";
$Body .= $email;
$Body .= "\n";
$Body .= "color: ";
$Body .= $se;
$Body .= "\n";

// send email 
$success = mail($EmailTo, $Subject, $Body, "From: <$EmailFrom>");

// send email to user
if ($se=="W")
$EmailFrom = "noreply@domain.com";
$to = $email;
$subject = "form email";
$body = "thank you for filling out our form";
if (mail($to, $subject, $body, "From: <$EmailFrom>")) {
  echo("<p>Message successfully sent!</p>");
} else {
  echo("<p>Message delivery failed...</p>");
}

?>
[code]


MOD EDIT: [nobbc][code] . . . [/code][/nobbc] tags added . . .

Hello guys,

Is there on web any updated tutorial on how can I add Facebook login on my simple php login script?

Okay so my news script is set to view only 10 pieces of news. But I want it so that it starts a new page once I have more than 10 pieces of news.

Code: [Select]
<?php
require("functions.php");
include("dbconnect.php");

session_start();

head1();
body1();
new_temp();
sotw();
navbar();
     
$start = 0;
$display = 10;
$query = "SELECT * FROM news ORDER BY id DESC LIMIT $start, $display";
$result = mysql_query( $query );

if ($result) {
    while( $row = @mysql_fetch_array( $result, MYSQL_ASSOC ) ) {
        news_box( $row['news'], $row['title'], $row['user'], $row['date'], $row['id'] );
    }
    mysql_free_result($result);
} else {
    news_box( 'Could not retrieve news entries!', 'Error', 'Error', 'Error');
}
                   
footer();

mysql_close($link);
?>
I tried a few things but they failed....miserably.

Sir, Im in the stage to make login and registration phase but im want to try to do same as chatango



Im want type the message and  hit the set up name button first




Then after hit the set name( a small box for login is coming out in the same page by the way what the function to call that box)



The last step is after input the username and password, the message that i already put is appear in chat screeen


My doubt is is this all process is doing in one php file or many php file and how to recall that

Hope Sir can help my doubtful thank you

Login.php

Code: [Select]
<?php
    session_start();
    mysql_connect("localhost","root") or die(mysql_error());
    mysql_select_db("cute") or die(mysql_error());
    $username = $_POST['username'];
    $password = $_POST['pass'];
    if (isset($_POST["submit"]))
    {
     $log = "SELECT * FROM regis WHERE username = '$username'";
     $login = mysql_query($log);  
     $row = mysql_fetch_array($login);
     $number = mysql_num_rows($login);
     if ($number > 0)
     {


        $_SESSION['username'] = $row['username'];
        $_SESSION['userlevel'] = $row['userlevel'];
        
         
        if($_SESSION['userlevel']==1)
       {
        $_SESSION['is_logged_in'] == 1;
        header("Location: form2.php");
       }
        else if($_SESSION['userlevel']== 0)
       {
         $_SESSION['is_logged_in'] == 1;
         header("Location: registration.php");
       }
     }

Registration.php

Code: [Select]
<?php
echo 'Welcome:' .$_SESSION['is_logged_in'];?>
form2.php

Code: [Select]
<?php
session_start();
if (empty($_SESSION['is_logged_in']))
{
 header("Location:chatframe.php");
 die();     // just to make sure no scripts execute
}
?>
<?php
mysql_connect("localhost","root") or die(mysql_error());
mysql_select_db("cute") or die(mysql_error());
$message=$_POST['message'];
$a=$_SESSION['username'];



if(isset($_POST['submit'])) //if submit button push has been detected

{


   if(strlen($message)>1)
   {
      $message=strip_tags($message);
      $IP=$_SERVER["REMOTE_ADDR"]; //grabs poster's IP
      $checkforbanned="SELECT IP from ipbans where IP='$IP'";
      $checkforbanned2=mysql_query($checkforbanned) or die("Could not check for banned IPS");

    if(mysql_num_rows($checkforbanned2)>0) //IP is in the banned list
    {
     print "You IP is banned from posting.";
    }

    else
    {
     $thedate = date("U"); //grab date and time of the post
     $insertmessage="INSERT into chatmessages (name,IP,postime,message) values('$a','$IP','$thedate','$message')";
     mysql_query($insertmessage) or die("Could not insert message");
    }
   }
}


 ?>
<html>
<head>
<script type="text/javascript">
function addsmiley(code)
{
var pretext = document.smile.message.value;
              this.code = code;
              document.smile.message.value = pretext + code;
}

function a()
{
 var x = document.smile.message.value;
 if(x=="")
 {
  alert("Please insert an message!");
  return false;
 }

}

</script>
<style type="text/css">
body{ background-color: #d8da3d }
</style>
</head>
<body>
  <form name="smile" method="post" action="form2.php" onSubmit="return a()" >
   Your message:<br><textarea name='message' cols='40' rows='2'></textarea><br>
   <img src="smile.gif" alt=":)" onClick="addsmiley(':)')" style="cursor:pointer;border:0" />
   <img src="blush.gif" alt=":)" onClick="addsmiley('*blush*')" style="cursor:pointer;border:0" />
   <input type='submit' name='submit' value='Send' class='biasa'  ></form>

   
 
  <br> <br>
  </body>
</html>
In this registration.php when im called back its appear nothing im means the number is not showing and the login code even im had also put the "$_SESSION['is_logged_in'] == 1;" outside if else userlevel statement and then i put $d=  $_SESSION['is_logged_in'] == 1;   and im echoing back but it is nothing im thinks something wrong in session is login

 and also still it cannot redirect to admin -form2.php when session is login in is 1