Link to home
Start Free TrialLog in
Avatar of paul_taylor_22
paul_taylor_22

asked on

PHP secure login code

Hi,
Apology's if the answer to this is found on another post, not found it so far.
I am looking to implement a system which includes a login portal, for users (stored in db) to login using PHP sessions.
Below is the code that i have used, which works, but the security aspect is concerning me.
Could you let me know if this is a secure way to implement this, and if i can improve it in any way?

thanks in advance
All files include check_login.php:
<?php
        session_start();
        if (!isset($_SESSION['user_id'])){
                include("login.php");
                exit();
        }
?>
 
 
 
login.php:
<html>
<head>
</head>
<body>
<form action="login_submit.php" method="POST">
Username: <input type="text" name="username">
Password: <input type="password" name="password">
</form>
</body>
</html>
 
 
 
login_submit.php
<?php
        include("includes/db_connect.php");
 
        $username=$_POST['username'];
        $password=$_POST['password'];
 
        $qryGetUser="SELECT * FROM user WHERE username='$username' LIMIT 1";
        $rsGetUser=mysql_query($qryGetUser) or die(mysql_error());
 
        //USERNAME CORRECT?
        if (mysql_num_rows($rsGetUser)==0){
                echo "Username or password incorrect.";
                exit();
        }
        $rowUser=mysql_fetch_array($rsGetUser);
 
        //PASSWORD CORRECT?
        if ($rowUser['password']!=md5($password)){
                echo "Username or password incorrect.";
 
                //LOCK ACCOUNT IF THIS IS THIRD ATTEMPT
                if ($rowUser['failed_attempts']>1){
                        $qryUpdateUser="UPDATE user SET failed_attempts=failed_attempts+1, locked='1' WHERE user_id='".$rowUser['user_id']."'";
                }
                //ELSE INCREMENT FAILED ATTEMPTS
                else{
                        $qryUpdateUser="UPDATE user SET failed_attempts=failed_attempts+1 WHERE user_id='".$rowUser['user_id']."'";
                }
                $rsUpdateUser=mysql_query($qryUpdateUser) or die(mysql_error());
                exit();
        }
 //IF ACCOUNT LOCKED
        if ($rowUser['locked']=="1"){
                $qryUpdateUser="UPDATE user SET failed_attempts=failed_attempts+1 WHERE user_id='".$rowUser['user_id']."'";
                $rsUpdateUser=mysql_query($qryUpdateUser) or die(mysql_error());
                echo "<b>Error: </b>Your account has been disabled.<br/>Please contact your systems administrator.";
                exit();
        }
 
        //LOGGED IN
        session_start();
        $_SESSION['username']=$rowUser['username'];
        $_SESSION['user_id']=$rowUser['user_id'];
        $_SESSION['login_time']=date(" H:i:s d-m-Y");
 
        header("Location: main.php");
?>

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of Roger Baklund
Roger Baklund
Flag of Norway image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of paul_taylor_22
paul_taylor_22

ASKER

OK, thanks for that, its in place and appears to work.