This is my login page.
include 'config.php';
if (($_POST['username']!=$user) || ($_POST['password']!=$pass))
{
// login deny.
// process usaully terminate at the end of block
}else{
// login grant.
}
$user and $pass value declared in config.php.
Is there any chance that I can login without knowing password and username ?
Like cast $_POST[] to int.
The answer to your question is yes, a user can get through your login without knowing the password. The real question is how hard can you make it for him to do that, and/or how long will it take him to brute force/guess it.
A possible way of preventing brute forcing is to track the number of requests and employing rate-limiting techniques that many API servers use to stop excessive attempts to login. This could use sessions, or better yet an internal log by the client's IP address of the number of attempted requests, and after say 10 failed requests, you lock that IP address out for 24 hours.
Are you going to post your credentials for every page view? You should be only be posting data once, validating it and saving the result to a session variable that you'll then check to determine if the user is logged in.
Here's a short example of a basic, badly secured login system (you should be hashing your passwords!!):
config.php
session_start(); // let's get this puppy rolling
$user = 'example';
$pass = 'anUnsafePasswordHere'; // hash me please!!!
yourpage.php
include 'config.php';
if(!isset($_SESSION['is_logged_in']) || $_SESSION['is_logged_in'] !== true) {
// strict comparison for your login check failed, redirect to login page
header("Location: login.php");
exit;
}
// display regular content here, they are logged in!
Your login page will obviously have a form and will post somewhere, so let's replicate that quickly:
login.php
include 'config.php';
if(isset($_POST['login'])) {
if(
!empty($_POST['user']) // check that the vars exist before trying to
&& !empty($_POST['pass']) // use them in your comparison
&& $_POST['user'] === $user // strict check here, content and var type
&& $_POST['pass'] === $pass
) {
// login succeeded! clear failed validation errors, set success and redirect
unset($_SESSION['login_errors']);
$_SESSION['is_logged_in'] = true;
header("Location: yourpage.php");
exit;
}
// login failed, let's save an error message to the session and redirect back
// to the login form
$_SESSION['login_errors'] = 'Login failed, please try again!';
header("Location: login.php");
exit;
}
?>
<form action="login.php" method="post">
<?php if(!empty($_SESSION['login_errors'])) echo '<p>' . $_SESSION['login_errors'] . '</p>'; ?>
<input type="text" name="user" placeholder="Username">
<input type="password" name="pass" placeholder="Password">
<button type="submit" name="login">Login!</button>
</form>
If you use a basic structure like this for your login system you shouldn't go too far wrong. The idea is that whenever the session variable representing your "logged in" state isn't present, you're forcing a redirect to the login page.
The login page posts to itself, where the credentials are checked and if it's all OK that logged in state session variable is set, and you're send back to the main page - where it does pass the validation check at the top of the page this time.
Obviously to log out, you will just call unset($_SESSION['is_logged_in']); or session_destroy() then redirect back to the login page.
Now for security reasons you should definitely implement some hashing.
If you only want one account to access your script and you think using a database purely for this is a little excessive, you can store your credentials in the source code, however you should always store your passwords as hashed representations of what they are so that anyone who happens to look over your shoulder or somehow obtain access to your source code won't immediately see your password.
A couple of old classic (but now phased out due to more secure alternatives) methods of quick, built into PHP hashing techniques are using md5() or sha1() to give a hashed representation of your password. Hashing is a sort of one-way encryption, and it takes a machine a long time to brute-force what a hash represents, so any security is better than none. I suggest you use bcrypt, but a baseline level of security for your application (better than nothing!) would be to use md5() to turn your secretpassword into a hash like 2034f6e32958647fdff75d265b455ebf, then store that in your source code.
All you need to change in your login file is the line that compares the password you've posted with the one in the source code:
if(md5($_POST['pass']) === $user)
To take hashing to a modern best-practice level, you should be looking at using something like bcrypt to store your passwords securely.
