-2

I have used this code for admin login. loginhome.php should be opened only when a user enter correct username and password. But then, i realized this is not secure at all. anybody could directly go to mywebsite/loginhome.php without logging in. and after logout, the loginhome.php can be opened using back button. How Can i make this more securely?

<?php

$submit=isset($_POST['submit']);
if($submit)
{
    $first=$_POST['first'];
    $password=$_POST['password'];
    $db = new mysqli("localhost", "root","","learndb");
    $sql = "select * from admin where username = '" . $first . "' and password = '". $password . "'";
    $result = $db->query($sql);
    $result=mysqli_num_rows($result);

  if($result>0)
{

     include_once "loginhome.php";

}
else
{
    include_once"errorlogin.php";
}

Here is the html form if required.

<form method="post" action="input.php">
Username:<input type="Text" name="first"><br>
password:<input type="password" name="password"><br>
<input type="submit" name="submit" value="LOGIN">
</form>
micky
  • 425
  • 1
  • 12
  • 37
  • @Fred while the linked question addresses problems in the question, it doesn't at all address the question itself. This is definitely the wrong duplicate. – Gerald Schneider Feb 01 '16 at 13:13
  • 1
    **Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Feb 01 '16 at 13:16
  • 3
    **Danger**: You are using [an unsuitable hashing algorithm](http://php.net/manual/en/faq.passwords.php) (i.e. none at all) and need to [take better care](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) of your users' passwords. – Quentin Feb 01 '16 at 13:16
  • Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Feb 01 '16 at 13:27
  • You're mixing `mysql_*` and othe database API functions. That won't work. – Jay Blanchard Feb 01 '16 at 13:29
  • 1
    So, are you really using `mysqli_num_rows()`? Or was the stealth edit just to cover yourself? – Jay Blanchard Feb 01 '16 at 13:32
  • @JayBlanchard i am just learning to upgrade from mysql to mysqli and that was a mistake. – micky Feb 01 '16 at 13:38
  • A mistake? In your original code? Or in the copy and paste here? It makes it hard for us to help you solve issues if you change the code in your question. – Jay Blanchard Feb 01 '16 at 13:39
  • @JayBlanchard it was a mysql code in my original code and i copy pasted here and edited to make it a mysqli code (i knew i would get so many suggestions about deprecated mysql) and i just forget in there. And the problem is solved. thanks. – micky Feb 01 '16 at 13:43
  • syntax error: missing } in the end. – Sanzeeb Aryal Feb 01 '16 at 14:32
  • @JayBlanchard i have followed your suggestion to handle password. if i use $password = password_hash($_POST['password'], PASSWORD_DEFAULT); How should i insert admin password in database? – micky Feb 01 '16 at 15:23
  • You will need a TEXT filed in your database to store the hash. Please read [Proper Password Hashing](http://jayblanchard.net/proper_password_hashing_with_PHP.html). – Jay Blanchard Feb 01 '16 at 15:23
  • @Jay I've read that. In your article the user themself enters username and password which is hashed and then stored in database. In my case password should already be there. – micky Feb 01 '16 at 15:28
  • Then you would use `password_verify()`. – Jay Blanchard Feb 01 '16 at 15:37

1 Answers1

0

You can use a PHP Session instead to make it more secure. Firstly, redirect users to loginhome.php in the Login Page (eg. login.php).

session_start();
$_SESSION['logged_in'] = true;
header("Location: loginhome.php");

And in the loginhome.php file, you can check for the session, if not set, then redirect users back to the Login Page.

<?php

 include "include.php";
 session_start();
 if(!$_SESSION['logged_in']){
 session_destroy();
 header("Location: login.php");
}

?>

To logout, destroy the Session.

<?php

session_start();
$_SESSION['logged_in'] = 0;
session_destroy();
header("Location: login.php");

?>

include.php file.

<?php
$link = mysqli_connect
("host", "user", "password", "database");
?>

Just a tip, you should encrypt the users' usernames and passwords. Hope this helps!

Panda
  • 6,940
  • 6
  • 37
  • 53