I would like to share my login script for a web based application that i code in PHP. For this script, I'm using session which is then stored in MySQL. This is just a simple script that I made to help one of my friends for his PHP learning process.
For this script, I doubt on the security on login process. I'm no expert in this field. Any suggestion are much appreciated as I'm still learning my way to be a better and DRY programmer. Thou this script does have repetition on certain things especially IP variables which already declare on Login class constructor, still I declare it on every page to check session authentication.
class Login { private $db; private $username; private $password; private $credential; private $count; private $ip; private $session; function Login($object) { $post = (object) $object; $this->username = sanitize($post->username, SQL); $this->password = sanitize($post->password, SQL); $this->password = sha1($this->password); $this->db = db_connect(); } function checkCredential() { if ($this->db) { $query = "SELECT * FROM user WHERE username='$this->username' AND " . "password='$this->password'"; $result = mysql_query($query); $user = mysql_num_rows($result); $query = "SELECT * FROM admin WHERE username='$this->username' AND " . "password='$this->password'"; $result = mysql_query($query); $admin = mysql_num_rows($result); } if ($user > 0) { $this->credential = 'USER'; } else { if ($admin > 0) { $this->credential = 'ADMIN'; } else { $this->credential = 'HACK'; } } } function processLogin() { if (empty($this->credential)) { echo "<script>javascript:alert('Login process terminated.')</script>"; exit(); } if ($this->credential == 'USER') { $query = "SELECT * FROM user WHERE username ='$this->username' AND " . "password = '$this->password'"; } else if ($this->credential == 'ADMIN') { $query = "SELECT aid AS uid, firstname, lastname, username, password, email, phone " . "FROM admin WHERE username ='$this->username' AND " . "password ='$this->password'"; } else { $error = "Username and password entered did not match. Please try again."; echo "<script>javascript:alert('$error')</script>"; header("Location:../login.php"); exit(); } $result = mysql_query($query); $data = mysql_fetch_object($result); $uid = $data->uid; return $uid; } function registerSession($uid) { $_SESSION['username'] = $this->username; $ip = $_SESSION['ip'] = $this->ip = $_SERVER['REMOTE_ADDR']; $session = $_SESSION['id'] = $this->session = session_id(); $_SESSION['uid'] = $uid; $_SESSION['credit'] = $credit = $this->credential; $this->count = 0; $query = "SELECT * FROM session WHERE sid='$uid'"; if ($this->db) { $result = mysql_query($query); $this->count = mysql_num_rows($result); } if (($this->count) > 0) { $query = "DELETE FROM session WHERE sid='$uid'"; $result = mysql_query($query) or die(mysql_error()); $query = "INSERT INTO session VALUES ('$uid','$session','$ip','$credit')"; } else { $query = "INSERT INTO session VALUES " . "('$uid','$this->session','$this->ip','$this->credential')"; } if ($this->db) { $result = mysql_query($query) or die(mysql_error()); if ($result && $credit == 'USER') { header("Location:../user?section=profile"); // Go to USER home profile exit(); } else if ($result && $credit = 'ADMIN') { header("Location:../admin?section=home"); // Go to ADMIN home exit(); } else { $error = "Cannot process login at this moment. Please try again in 5 minutes."; echo "<script>javascript:alert('$error')</script>"; header("Location:../login.php"); // Login process encounter error, redirect to login page. exit(); } } }The sanitize() function should be included at the top of the script. It can be found at mypapit blog. Feel free to download the files which has been modified at certain lines by mypapit himself to extends the functionality to sanitize email address and IP address which is not in OWAPS by default.
In this class, we do have several function which I think is necessary to do better login class. If you do have any suggestion on what should I add of delete to improve security of this login class, please do let me know. I'm still green on this PHP thingy.
Below is how I implement the class in actual login engine.
<?php ob_start(); session_start(); // start session to used on login process require ('connection.php'); // connection file to connect to database require_once ('sanitize.php'); // This is required to use sanitize on login class below. require_once ('class/login.php'); // Login class is required if ($_POST['button'] == 'Submit') { $login = new Login($_POST); // declare object based on Login class $login->checkCredential(); // check either client is user, admin, or hacker $login_data = $login->processLogin(); // start processing login if (!empty($login_data)) { $login->registerSession($login_data); // register session } else { $error = "Username and password entered did not match. Please try again."; echo "<script>javascript:alert('$error')</script>"; header("Location:../login.php"); exit(); } } else { $error = "Cannot access this file directly"; echo "<script>javascript:alert('$error')</script>"; header("Location:../login.php"); } ?>
If you have any idea on how to secure, simplify or make this script better, please drop a few line in comment area. Thanks!
Thank you for your unbelievable support on Negative Zero - Permission to read and write blog for nearly 4 years. Don't forget to like Negative Zero on Facebook.