Php login script -
i produce script handle login process. have discussion on how able improve script secure , simplify, , keep programming dry. not 'a need answer type of post' more discussion. guide , advise appreciated.
my login.php
<?php class login { private $db = null; private $ip = null; private $uid = null; private $date = null; function login() { $this->db = db_connect(); $this->ip = $_server['remote_addr']; $this->uid = 0; $this->date = date('y-m-d'); } function checklogin($username, $password) { $username = sanitize($username, sql); $password = sha1($password); if ($this->db) { $query = "select * user username = '$username' , password = '$password'"; $result = mysql_query($query); $var = mysql_fetch_object($result); if (is_object($var)) { $this->storesession($var, true, 'user'); return true; } else { $this->sessiondefault(); return false; } } } function sessiondefault() { $_session['username'] = null; $_session['session'] = null; $_session['uid'] = 0; $_session['logged'] = false; } function storesession(&$login, $init = true, $credit = 'user') { $_session['username'] = $login->username; $username = $login->username; $_session['uid'] = $login->id; $uid = $login->uid; $_session['ip'] = $this->ip; $ip = $this->ip; $_session['session'] = session_id(); $sid = session_id(); if ($this->db) { $query = "insert session values ('$username','$sid','$ip','$this->date','user')"; $result = mysql_query($query) or die(mysql_error()); } } function checkauthorized($session, $ip, $admin = false) { $session = sanitize($session, sql); $ip = fsanitize_ip($ip); if ($this->db) { $query = "select * session " . "(session='$session') , (ip='$ip') "; $result = mysql_query($query); $var = mysql_fetch_object($result); if (is_object($var)) { if ($var->credit == 'user') return 'user'; else return 'admin'; } else return false; } } /* * * function used logout * @param: $session receive session_id() * @return: return boolean * */ function logout($session) { $username = $_session['username']; unset($_session); session_destroy(); if ($this->db) { $query = "delete session session='$session'"; $result = mysql_query($query); if ($result) return true; else return false; } } } ?> my loginform.php
<?php session_start(); include ('connection.php'); include ('sanitize.php'); include ('login.php'); /* create object based on login class */ $auth = new login(); /* fetch session id , insert $session */ $session=session_id(); /* fetch ip of client. repeated code */ $ip = $_server['remote_addr']; /* below check session authentication */ $logincheck=$auth->checkauthorized($session, $ip); if ($logincheck) // condition if session there prevent viewing login form { header("location:user.php"); // redirect user page } ?> <!doctype html> <head> <script type="text/javascript"> function loginshow(show) { if(show==true) { document.getelementbyid(login-div).style.display = "" } else { document.getelementbyid(login-div).style.display = "none" } } </script> <style> div#login { width : 400px; height: 150px; margin: 20% auto; border:thin dotted gray; } input[type=text], input[type=password] { text-align: center; width:250px; } input[type=submit] { width:80px; } div#login p { margin:5px auto; text-align: center; } </style> </head> <html> <body> <div id="logindiv"> <div id="login"> <form method="post" name="login" action="loginform.php" id="login"> <p>username</p> <p><input type="text" id="username" name="username"/></p> <p>password</p> <p><input type="password" id="password" name="password"/></p> <p><input type="submit" name="logged" id="logged" value="login"/></p> </form> </div> </div> </body> </html> <?php // form processing engine goes here! if ($_post) { extract($_post); $login = new login(); $status = $login->checklogin($username, $password); if (!$status) { echo "<script>loginshow('true')</script>"; } else { header("location:user.php"); exit(); } } else { echo "<script>loginshow(true)</script>"; } ?> my authorize.php
<?php session_start(); $session=session_id(); $ip = $_server['remote_addr']; /* create object based on login class */ $login = new login(); /* below check , authenticate session , ip valid */ $logincheck = $login->checkauthorized($session, $ip); if (!$logincheck) // condition if login not authentic or no session { header("location:loginform.php"); // redirect login form } else // condition if session valid , { echo "<center>"; echo "<h1>session valid. no need login</h1>"; echo "<a href='logout.php'>logout</a>"; echo "</center>"; } ?> my logout.php
<?php session_start(); $session=session_id(); $ip = $_server['remote_addr']; include ('connection.php'); include ('sanitize.php'); require('login.php'); require('authorize.php'); $logout = new login(); $logstatus = $logout->logout($session); if ($logstatus) { echo "<center>"; echo "<h1>session cleared</h1>"; echo "<a href='loginform.php'>login</a>"; echo "</center>"; } else { echo "<center>"; echo "<h1>session failed delete database</h1>"; echo "<a href='logout.php'>retry</a>"; echo "</center>"; } ?>
just 1 thing:
use bcrypt securely store passwords , here's simple php5 class you.
if had penny each time had tell this, rich man.
Comments
Post a Comment