Cronic Posted December 21, 2011 Posted December 21, 2011 (edited) Is my Login script secured now? <? include 'nliheader.php'; if(isset($_POST['submit'])){ $username = $_POST["username"]; $username = addslashes($username); $password = $_POST["password"]; $password = addslashes($password); $result = mysql_query("SELECT * FROM `grpgusers` WHERE `loginame`='$username'") or die (Message("Sorry, your username and password combination are invalid.")); $worked = mysql_fetch_array($result); $ban1 = mysql_query("SELECT * FROM `bans` WHERE `id` = '".$worked['id']."' AND (`type` = 'freeze' OR `type` = 'perm')"); $ban = mysql_num_rows($ban1); if ($_SESSION['AntiSpamImage'] !== $_REQUEST['anti_spam_code']) { // set antispam string to something random, in order to avoid reusing it once again $_SESSION['AntiSpamImage'] = rand(1,9999999); echo Message('<div>The verification code you entered is invalid.</div>'); } else { if($worked['password'] == $password) { if ($worked['activate'] != "0") { echo Message(' Your account has not yet been activated. If you have lost the email you can have it send again by clicking <a href="sendactivate.php">here</a>.'); include('nlifooter.php'); die(); } if($worked['ban/freeze'] == 1 || $ban > 0) { echo Message(' Your account has either been banned or frozen. Please check back in a few days to see if it has been lifted.'); include('nlifooter.php'); die(); } echo Message('Please wait, you are being logged in. Do not press the back button.<br />If you still see this page after 10 seconds you may want to try re-logging in.'); echo '<meta http-equiv="refresh" content="1;url=index.php">'; $_SESSION["id"] = $worked['id']; include('nlifooter.php'); die(); } else { echo Message('Sorry, your username and password combination are invalid.'); } } } ?> <div id="right_c"><div class="g_content"><h3> Login</h3></div><div class="g_text"> <form name='login' method='post' action='login.php'> <table width='60%' border='0' align='center' cellpadding='0' cellspacing='0'> <tr> <td width='35%' height='27'><font size='2' face='verdana'>Username: </font></td> <td width='65%'><font size='2' face='verdana'> <input name='username' type='text' size='22' value="<?php echo md5($_POST['username']); ?>"> </font></td> </tr> <tr> <td height='24'><font size='2' face='verdana'>Password </font></td> <td><font size='2' face='verdana'> <input name='password' type='password' size='22' value="<?php echo md5($_POST['password']); ?>"> </font></td> <tr> <td><font size='2' face='verdana'> <br /> <input type='submit' name='submit' value='Login'> </font></td> </tr> </tr> </table> </form> </div> </div> <? include 'footer.php'; ?> Edited December 21, 2011 by Cronic Quote
Cronic Posted December 21, 2011 Author Posted December 21, 2011 Hmm, okay thanks. I will give it a try, trying to get rid of all the bugs/glitches in the GRPG Source. Quote
Spudinski Posted December 22, 2011 Posted December 22, 2011 I'm against add_slashes. It ruins the input data, which could be almost impossible to regenerate. The best practice is still using regular expressions. Quote
Cronic Posted January 4, 2012 Author Posted January 4, 2012 Hmm ok. so it would be better to make it like: if(isset($_POST['sumbit'])){ $username = $_POST["username"]; $username = mysql_real_escape_string($username); $password = $_POST["password"]; $password = myql_real_escaoe_string($password); Thanks for the help by the way. :) Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.