PHP Secure Login - password encryption

php security password-protection login-script
Suraj picture Suraj · Aug 28, 2010 · Viewed 30.8k times · Source

Here is the login system to which the secure login is to be implemented/

main_login.php

    <form name="form1" method="post" action="checklogin.php">
    Username:<input name="myusername" type="text" id="myusername" /> <br />
    Password:<input name="mypassword" type="password" id="mypassword" />
    <input type="submit" name="Submit" value="Login" />
    </form>

Checklogin.php

<?php
ob_start();
$host="localhost"; // Host name 
$username="root"; // Mysql username 
$password=""; // Mysql password 
$db_name="cosmos"; // Database name 
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword 
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword"); 
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
?>

login_success.php

<?php
session_start();

if(isset($_SESSION['username']) && ($_SESSION['username'] == $myusername)){
header("location:main_login.php");
}
?>

<html>
<body>
Login Successful. <a href="logout.php">Logout</a>
</body>
</html>

logout.php

<?php
session_destroy();

header("location:main_login.php");
?>

the problem is that I want to make this secure login by password encryption or any other method (if any). I am beginner to PHP

Answer

phpPig picture phpPig · Aug 28, 2010

You can encrypt the password to a degree with md5. You would need to md5 the password from when the user signs up and before the login md5....

Example: // Define $myusername and $mypassword $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; $mypassword = md5($mypassword);

You would also need to use this whenever you have a user sign up.

Related questions

What is a good way to produce a random "site salt" to be used in creating password retrieval tokens?

I would like to create a site-wide hash to be used as salt in creating password retrieval tokens. I have been bouncing around stackoverflow trying to get a sense of the best way to do this. Here's the reset process: …

Read More
How can I prevent SQL injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST['user_input']; mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')"); That's …

Read More
How can I sanitize user input with PHP?

Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of HTML tags?

Read More