-2

I have used this code for admin login. loginhome.php should be opened only when a user enter correct username and password. But then, i realized this is not secure at all. anybody could directly go to mywebsite/loginhome.php without logging in. and after logout, the loginhome.php can be opened using back button. How Can i make this more securely?

<?php

$submit=isset($_POST['submit']);
if($submit)
{
    $first=$_POST['first'];
    $password=$_POST['password'];
    $db = new mysqli("localhost", "root","","learndb");
    $sql = "select * from admin where username = '" . $first . "' and password = '". $password . "'";
    $result = $db->query($sql);
    $result=mysqli_num_rows($result);

  if($result>0)
{

     include_once "loginhome.php";

}
else
{
    include_once"errorlogin.php";
}

Here is the html form if required.

<form method="post" action="input.php">
Username:<input type="Text" name="first"><br>
password:<input type="password" name="password"><br>
<input type="submit" name="submit" value="LOGIN">
</form>
micky
  • 277
  • 1
  • 13
  • 39
  • @Fred while the linked question addresses problems in the question, it doesn't at all address the question itself. This is definitely the wrong duplicate. – Gerald Schneider Feb 01 '16 at 13:13
  • 1
    **Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Feb 01 '16 at 13:16
  • 3
    **Danger**: You are using [an unsuitable hashing algorithm](http://php.net/manual/en/faq.passwords.php) (i.e. none at all) and need to [take better care](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) of your users' passwords. – Quentin Feb 01 '16 at 13:16
  • Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Feb 01 '16 at 13:27
  • You're mixing `mysql_*` and othe database API functions. That won't work. – Jay Blanchard Feb 01 '16 at 13:29
  • 1
    So, are you really using `mysqli_num_rows()`? Or was the stealth edit just to cover yourself? – Jay Blanchard Feb 01 '16 at 13:32
  • @JayBlanchard i am just learning to upgrade from mysql to mysqli and that was a mistake. – micky Feb 01 '16 at 13:38
  • A mistake? In your original code? Or in the copy and paste here? It makes it hard for us to help you solve issues if you change the code in your question. – Jay Blanchard Feb 01 '16 at 13:39
  • @JayBlanchard it was a mysql code in my original code and i copy pasted here and edited to make it a mysqli code (i knew i would get so many suggestions about deprecated mysql) and i just forget in there. And the problem is solved. thanks. – micky Feb 01 '16 at 13:43
  • syntax error: missing } in the end. – Sanzeeb Aryal Feb 01 '16 at 14:32
  • @JayBlanchard i have followed your suggestion to handle password. if i use $password = password_hash($_POST['password'], PASSWORD_DEFAULT); How should i insert admin password in database? – micky Feb 01 '16 at 15:23
  • You will need a TEXT filed in your database to store the hash. Please read [Proper Password Hashing](http://jayblanchard.net/proper_password_hashing_with_PHP.html). – Jay Blanchard Feb 01 '16 at 15:23
  • @Jay I've read that. In your article the user themself enters username and password which is hashed and then stored in database. In my case password should already be there. – micky Feb 01 '16 at 15:28
  • Then you would use `password_verify()`. – Jay Blanchard Feb 01 '16 at 15:37

1 Answers1

0

You can use a PHP Session instead to make it more secure. Firstly, redirect users to loginhome.php in the Login Page (eg. login.php).

session_start();
$_SESSION['logged_in'] = true;
header("Location: loginhome.php");

And in the loginhome.php file, you can check for the session, if not set, then redirect users back to the Login Page.

<?php

 include "include.php";
 session_start();
 if(!$_SESSION['logged_in']){
 session_destroy();
 header("Location: login.php");
}

?>

To logout, destroy the Session.

<?php

session_start();
$_SESSION['logged_in'] = 0;
session_destroy();
header("Location: login.php");

?>

include.php file.

<?php
$link = mysqli_connect
("host", "user", "password", "database");
?>

Just a tip, you should encrypt the users' usernames and passwords. Hope this helps!

Panda
  • 6,955
  • 6
  • 40
  • 55
  • what is that include.php – micky Feb 01 '16 at 13:11
  • It's the database connection. – Panda Feb 01 '16 at 13:11
  • Edited answer to include `include.php` – Panda Feb 01 '16 at 13:13
  • btw,, this `if($result>0){...}` will **never** happen. – Funk Forty Niner Feb 01 '16 at 13:17
  • Why? `if ($result > 0) { ... }` is the authentication of user, right? – Panda Feb 01 '16 at 13:18
  • Oh, yes, I think it should be `if(mysql_num_rows($result)>0){ ... }` instead. – Panda Feb 01 '16 at 13:20
  • i have tried this but i still can directly access loginhome.php using mywebsite/loginhome.php. – micky Feb 01 '16 at 13:22
  • Did you add the code for `loginhome.php` to check if the Session exists? – Panda Feb 01 '16 at 13:23
  • Yes. i have added that code. but my loginhome is html file.so i could possibly added it in a wrong place. Where should i add that code? – micky Feb 01 '16 at 13:27
  • session_start(), after include.php? really? – Mark Ng Feb 01 '16 at 13:28
  • now i made it loginhome.php and added that code in front. – micky Feb 01 '16 at 13:30
  • After login you should do `session_regenerate_id(true);` to change PHP session id - otherwise your code is prone to session fixation attack. http://stackoverflow.com/questions/5081025/php-session-fixation-hijacking – n-dru Feb 01 '16 at 14:50
  • @n-dru should i use this code after $_SESSION['logged_in'] = true;?? – micky Feb 01 '16 at 15:12
  • yep, exactly there - you can try it with and without it to know how it works - just change session id in your browser cookie to whatever string, and log in and log out - it will stay the same. Now if you extend the cookie expiration, you could log in always with the same session id. Someone could do it in your laptop and hence have always access to your session once you log in. – n-dru Feb 01 '16 at 15:15