Hi all I would like your views on whether the function which I have created below is a no-fault login function. I am using salt and bcrypt as security.
First I would use the username to get the salt. Then assign to password by using crypt with the variables password (from form input) and salt.
Next using the username and password, check if member exist. Then store the member's id as session value for future use.
What I would like to know if there is anything wrong with this function.
function login(){
$username = trim($_GET['username']);
$password = trim($_GET['password']);
if($username == '' || $password == ''){
return 0;
}
if(strlen($username) > 30 || strlen($password) > 30){
return 0;
}
$username = strtolower($username);
$q = "SELECT * FROM member WHERE username = '$username'";
$value = $this->run_get_query($q);
$salt = $value[0]['salt'];
$password = crypt($password, $salt);
$q = "SELECT * FROM member WHERE username = '$username' AND password = '$password'";
$member_details = $this->run_get_query($q);
$num_rows = count($member_details);
if($num_rows == 1){
$_SESSION['member'] = $member_details[0]['id'];
}
return $num_rows;
}
