What should i create to enhance the security of my login(user) system? Some categories:
storing in database
hashing
encrypting/decrypting
logging in
storing in session variables
etcPHP: What are your security tips (advice) for Login Systems?
%26lt;?
/***************************
login.class.php
***************************/
class user{
//To track the switch/errors through out
var $login_error;
//constructor
function user($UserInput){
if($_SERVER['REQUEST_METHOD'] == ';POST';)
{
$this-%26gt;validate_user($UserInput);
}
else
{
$this-%26gt;login_form();
}
}//End function
//Just a simple login form
function login_form(){
echo ';%26lt;div align=\';center\';%26gt;%26lt;form name=\';LoginForm\'; action=\';$_SERVER[PHP_SELF]\'; method=\';POST\';%26gt;%26lt;table%26gt;%26lt;tr%26gt;%26lt;td%26gt;%26lt;tr%26gt;%26lt;td%26gt;U鈥?Name:%26lt;/td%26gt;%26lt;td%26gt;%26lt;input type=\';text\'; name=\';FLU\';%26gt;%26lt;/td%26gt;%26lt;td%26gt;Password:%26lt;/td%26gt;%26lt;td%26gt;鈥?type=\';password\'; name=\';FLP\';%26gt;%26lt;/td%26gt;%26lt;/tr%26gt;%26lt;tr%26gt;%26lt;td colspan=\';2\';%26gt;%26lt;input type=\';submit\'; value=\';Submit\';%26gt; %26lt;input type=\';reset\'; value=\';Reset\';%26gt;%26lt;/td%26gt;%26lt;/tr%26gt;%26lt;/table%26gt;%26lt;/div%26gt;鈥?br>
}//End Function
function validate_user($UserInput){
//my chosen user name and password pattern
$this-%26gt;user_name_pattern = (';^[a-zA-Z0-9]{5,15}$';);
$this-%26gt;password_pattern = (';^[a-zA-Z0-9\!\@\#\$\%\^\%26amp;%26amp;#92;*\`\~\_]鈥?br>
//JavaScript History -1
$this-%26gt;go_back = ';%26lt;a href=javascript:history.go(-1)%26gt;%26lt;font color=red size=-2%26gt;(Go Back)%26lt;/font%26gt;%26lt;/a%26gt;';;
//Change the redirect location to whare you want to go http://yoursite.com/members/
$this-%26gt;success_login_redirect = ';http://dzsoundnirvana.com/';;
switch($UserInput){
case ($UserInput['FLU'] == ';'; || !ereg($this-%26gt;user_name_pattern,$UserInpu鈥?br>
$this-%26gt;login_form();
echo ';%26lt;div align=\';center\';%26gt;%26lt;font color=\';red\';%26gt;Invalid user name. Try again or $this-%26gt;go_back!%26lt;/font%26gt;%26lt;/div%26gt;';;
$this-%26gt;login_error == false;
break;
case ($UserInput['FLP'] == ';'; || !ereg($this-%26gt;password_pattern,$UserInput鈥?br>
$this-%26gt;login_form();
echo ';%26lt;div align=\';center\';%26gt;%26lt;font color=\';red\';%26gt;Invalid password. Try again or $this-%26gt;go_back!%26lt;/font%26gt;%26lt;/div%26gt;';;
$this-%26gt;login_error == false;
break;
}
if($this-%26gt;login_error === false){
//Or you can redirect to a ';Forgot password/user name'; page or leave it alone. This will kill the script. No output after though!
exit;
}
else{
//Now we go to the Database and validate the user
$this-%26gt;db();
$this-%26gt;query_string = ';SELECT * FROM users WHERE user_name='$UserInput[FLU]' %26amp;%26amp; password=''; . md5($UserInput['password']) . ';'';;
$this-%26gt;query = mysql_query($this-%26gt;query_string);
//Error check the query
if(!$this-%26gt;query){
echo ';System error! Contact the system administrator!%26lt;br%26gt;or%26lt;br%26gt;$this-%26gt;go_back';;
//use this for debugging (below), Delete the // at the beginning
//echo mysql_error();
}
else{
//Need to check if more than 1 user exists if so....throw HACKING error (not supported here)..another class
$this-%26gt;num_rows = mysql_num_rows($this-%26gt;query);
if($this-%26gt;num_rows %26gt; 1){
echo ';Hacking warning';;
exit;
}
else{
//Get the user information and set into the $_SESSION and then redirect to the directed page
$this-%26gt;user_information = mysql_fetch_assoc($this-%26gt;query);
//Put all user data into $_SESSION
foreach($this-%26gt;user_information as $key =%26gt; $value){
$_SESSION[$key] = $value;
//Now we redirect to the page specified
echo ';%26lt;script type=\';text/javascript\';%26gt;window.location鈥?br>
echo ';If you are not redirected %26lt;a href=\';this-%26gt;success_login_redirect\'; target=\';_parent\';%26gt;Click here to continue%26lt;/a%26gt;';;
}
}
}//else
}//if($this-%26gt;login_error === false)/else{
}//End function
function db(){
//Put your database host, database user name, and database password
$this-%26gt;db_link = mysql_connect(';data_base_host';,';data_bas鈥?br>
//Select the DB
//Put your database name
$this-%26gt;db_select = mysql_select_db(';data_base_name';);
}
}//End Class
?%26gt;
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment