paul_taylor_22
asked on
PHP secure login code
Hi,
Apology's if the answer to this is found on another post, not found it so far.
I am looking to implement a system which includes a login portal, for users (stored in db) to login using PHP sessions.
Below is the code that i have used, which works, but the security aspect is concerning me.
Could you let me know if this is a secure way to implement this, and if i can improve it in any way?
thanks in advance
Apology's if the answer to this is found on another post, not found it so far.
I am looking to implement a system which includes a login portal, for users (stored in db) to login using PHP sessions.
Below is the code that i have used, which works, but the security aspect is concerning me.
Could you let me know if this is a secure way to implement this, and if i can improve it in any way?
thanks in advance
All files include check_login.php:
<?php
session_start();
if (!isset($_SESSION['user_id'])){
include("login.php");
exit();
}
?>
login.php:
<html>
<head>
</head>
<body>
<form action="login_submit.php" method="POST">
Username: <input type="text" name="username">
Password: <input type="password" name="password">
</form>
</body>
</html>
login_submit.php
<?php
include("includes/db_connect.php");
$username=$_POST['username'];
$password=$_POST['password'];
$qryGetUser="SELECT * FROM user WHERE username='$username' LIMIT 1";
$rsGetUser=mysql_query($qryGetUser) or die(mysql_error());
//USERNAME CORRECT?
if (mysql_num_rows($rsGetUser)==0){
echo "Username or password incorrect.";
exit();
}
$rowUser=mysql_fetch_array($rsGetUser);
//PASSWORD CORRECT?
if ($rowUser['password']!=md5($password)){
echo "Username or password incorrect.";
//LOCK ACCOUNT IF THIS IS THIRD ATTEMPT
if ($rowUser['failed_attempts']>1){
$qryUpdateUser="UPDATE user SET failed_attempts=failed_attempts+1, locked='1' WHERE user_id='".$rowUser['user_id']."'";
}
//ELSE INCREMENT FAILED ATTEMPTS
else{
$qryUpdateUser="UPDATE user SET failed_attempts=failed_attempts+1 WHERE user_id='".$rowUser['user_id']."'";
}
$rsUpdateUser=mysql_query($qryUpdateUser) or die(mysql_error());
exit();
}
//IF ACCOUNT LOCKED
if ($rowUser['locked']=="1"){
$qryUpdateUser="UPDATE user SET failed_attempts=failed_attempts+1 WHERE user_id='".$rowUser['user_id']."'";
$rsUpdateUser=mysql_query($qryUpdateUser) or die(mysql_error());
echo "<b>Error: </b>Your account has been disabled.<br/>Please contact your systems administrator.";
exit();
}
//LOGGED IN
session_start();
$_SESSION['username']=$rowUser['username'];
$_SESSION['user_id']=$rowUser['user_id'];
$_SESSION['login_time']=date(" H:i:s d-m-Y");
header("Location: main.php");
?>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER