Authentication for Web Application Security
(Page 1 of 4 )
In the last article we started to build our site and then continued to explore the login script. In this article we will continue to explore the script but will also discuss in detail the process of authentication and its security implications. We will eventually look at some of the common attacks that are perpetrated by malicious users. Join us in this fourth part of an eight-part series.
The Login Script continued
Since we've already explored and discussed the JavaScript code, let's go through the actual login script. Here's the PHP code for the login form:
<?
session_start();
//someone registered?
if(isset($_GET['reg'])){
$reg="Your details have been added, please login";
}
$error=false;
$errmsg="";
//has form been submitted
if(isset($_POST['key'])){
//check that the username and password is not empty
if( empty($_POST['uname']) && (empty($_POST['upass']))){
print "Please enter your username and password.";
$errmsg="Please enter your username and password.";
$error=true;
}
//check that the username and password is string
if( is_numeric($_POST['uname']) && (is_numeric($_POST['upass']))){
print "Please enter a valid username and password.";
$errmsg=" Please enter a valid username and password.";
$error=true;
}
//if no error then start authentication process
if(!$error){
//transfer to shorter var
$n=$_POST['uname'];
$p=$_POST['upass'];
//connect to db
include('../config.inc');
//clean using mysql cleaner
$cleanuname=mysql_real_escape_string($n);
$cleanupass=mysql_real_escape_string($p);
$query="select uname,pw from users where uname='$cleanuname' and pw='$cleanupass' ";
$result=mysql_query($query);
$num=mysql_num_rows($result);
if($num>0 ){
//put in session vars
session_start();
$mytime=time();
$mytime=date("H:i:s A",$mytime);
$_SESSION['time'] = $mytime;
$_SESSION['status'] = 'logged';
$_SESSION['username'] = $cleanuname;
//goto next page
header("location:welcome.php");
exit;
}
}else{
$_SESSION['status'] = 'not logged';
$errmsg="Your username ($n) and password do not match, please try again.";
}
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- InstanceBegin template="/primary/Templates/was.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<!-- InstanceBeginEditable name="doctitle" -->
<title>WebSecure::Login</title>
<!-- InstanceEndEditable -->
<!-- InstanceBeginEditable name="head" -->
<!-- InstanceEndEditable -->
<link href="Templates/was.css" rel="stylesheet" type="text/css" />
<script language="javascript" type="text/javascript">
function checkform(pform1){
if(pform1.uname.value==""){
alert("Please enter a username")
pform1.uname.focus()
return false
}
if(pform1.pw.value==""){
alert("Please enter a password")
pform1.pw.focus()
return false
}
if(pform1.pw.value=="" && pform1.uname.value==""){
alert("Please make sure that you have entered your username and password")
return false
}
return true
}
</script>
</head>
<body>
<table width="99%" border="1">
<tr>
<td bgcolor="#333333" class="header">Web Secure</td>
</tr>
<tr>
<td><!-- InstanceBeginEditable name="main" -->
<form name="form1" onSubmit="return checkform(this)" method="post" action="">
<table width="41%" border="0" align="center" cellpadding="0" cellspacing="3">
<tr class="listtop">
<td colspan="3">Login Status:<? if(isset($msg)){
echo "$msg";
}elseif(isset($reg)){
echo "$reg";
}?></td>
</tr>
<tr>
<td width="9%">Username</td>
<td width="41%"><input name="uname" type="text" id="uname" size="50"></td>
<td width="50%" rowspan="4"> </td>
</tr>
<tr>
<td>Password</td>
<td><input name="upass" type="text" id="upass" size="50">
<input type="hidden" name="key" /></td>
</tr>
<tr>
<td> </td>
<td><a href="../password.php">Forgotten your password?</a>|<a href="register.php">Register</a></td>
</tr>
<tr>
<td> </td>
<td><input type="submit" name="Submit" value="Login"></td>
</tr>
</table>
</form>
<!-- InstanceEndEditable --></td>
</tr>
<tr>
<td class="copy">©2008</td>
</tr>
</table>
</body>
<!-- InstanceEnd --></html>
Next: Code Explained >>
More PHP Articles
More By David Web