In the previous article we discussed about the member registration page and login page , but the script is given a new login page only, not discussion . In this edition we will discuss more about the login page .
The first is a login page that is stored with the name of login.php and the second page is processing data from a login that is stored with the name login_process.php .
In principle this login_process.php scripts to process data from the login page . The first step of course is the connection to the database . After that match an existing username in the database , if it does not fit you are prompted to enter your username again . If the username matches an existing record in the database , the password is checked . If the password matches , then you will be able to login, if not you are required to fill in the correct password . Easy is not it?
But the actual script is not finished . Why ? Because the script as above ( though has been given a " fence " here and there ) still easily penetrated by anyone , even you do not need to learn to be a hacker to penetrate.
Examples of simple , fill out login forms with existing data in your database. Naturally you will be logged and entered the main.php page which reads " You are successfully logged in " . Now press the "back" button of your browser, then after you come back to the login page , press the "forward " in your browser and see what happens ? Yes , you will go back into login_process.php page and login successfully. That means if you fail and leave your computer , other people will easily be entered using your account .
Then what 's the solution? One way is by adding a session to the application. By checking whether a session variable never registered or have not , then it becomes more secure applications . By using this solution , the facility to sign in / sign out on our application will be split into five files as follows :
login.php file
<HTML>
<HEAD>
<TITLE> Login Page < / TITLE >
< / HEAD >
<BODY>
Please Login : <br />
<pre>
NAME="login" <form method="POST" ACTION="login_process.php">
Username : <input TYPE="text" NAME="username">
Password : <input TYPE="password" NAME="passwd">
<br />
<input TYPE="submit" VALUE="Submit">
< / FORM >
< / PRE >
New users please register <A href="/signup.php"> here < / A >
< / BODY >
< / HTML >
<HEAD>
<TITLE> Login Page < / TITLE >
< / HEAD >
<BODY>
Please Login : <br />
<pre>
NAME="login" <form method="POST" ACTION="login_process.php">
Username : <input TYPE="text" NAME="username">
Password : <input TYPE="password" NAME="passwd">
<br />
<input TYPE="submit" VALUE="Submit">
< / FORM >
< / PRE >
New users please register <A href="/signup.php"> here < / A >
< / BODY >
< / HTML >
File login_process.php
<?
session_start ( ) ;
$ Username = $ _POST [ 'username '] ;
$ passwd = md5 ( $ _POST [' passwd '] ) ;
$ host = " localhost ";
$ db_user = "root ";
$ db_passwd = "root ";
$ db = "user ";
$ sql = "select * from tbl_user Nowhere username = '$ username ' " ;
$ conn = @ mysql_connect ( $ host , $ db_user , $ db_passwd ) or
die ( " Connection failed : " . mysql_error ( ) ) ;
mysql_select_db ( $ db ) ;
$ qry = mysql_query ( $ sql ) or
die ( " Query is : " . mysql_error ( ) ) ;
$ num = mysql_num_rows ( $ qry ) ;
$ Row = mysql_fetch_array ( $ qry ) ;
if ( $ num == 0 OR $ passwd ! = $ row [' passwd '] ) {
header ( " Location : failed.php " ) ;
} else {
$ _SESSION [' login ' ] = 1 ;
header ( " Location : success.php " ) ;
}
?>
File success.php
session_start ( ) ;
$ Username = $ _POST [ 'username '] ;
$ passwd = md5 ( $ _POST [' passwd '] ) ;
$ host = " localhost ";
$ db_user = "root ";
$ db_passwd = "root ";
$ db = "user ";
$ sql = "select * from tbl_user Nowhere username = '$ username ' " ;
$ conn = @ mysql_connect ( $ host , $ db_user , $ db_passwd ) or
die ( " Connection failed : " . mysql_error ( ) ) ;
mysql_select_db ( $ db ) ;
$ qry = mysql_query ( $ sql ) or
die ( " Query is : " . mysql_error ( ) ) ;
$ num = mysql_num_rows ( $ qry ) ;
$ Row = mysql_fetch_array ( $ qry ) ;
if ( $ num == 0 OR $ passwd ! = $ row [' passwd '] ) {
header ( " Location : failed.php " ) ;
} else {
$ _SESSION [' login ' ] = 1 ;
header ( " Location : success.php " ) ;
}
?>
File success.php
<?
session_start ( ) ;
if (! isset ( $ _SESSION [' login ' ] ) ) {
include ( " login.php " ) ;
} else {
?>
<HTML>
<HEAD>
<TITLE> Success < / TITLE >
< / HEAD >
<BODY>
You are successfully logged in <br />
Can you access this application <br /> <br />
<A href="/logout.php" title="Log Out"> Log Out < / A >
< / BODY >
< / HTML >
<?
}
?>
File failed.php
session_start ( ) ;
if (! isset ( $ _SESSION [' login ' ] ) ) {
include ( " login.php " ) ;
} else {
?>
<HTML>
<HEAD>
<TITLE> Success < / TITLE >
< / HEAD >
<BODY>
You are successfully logged in <br />
Can you access this application <br /> <br />
<A href="/logout.php" title="Log Out"> Log Out < / A >
< / BODY >
< / HTML >
<?
}
?>
File failed.php
<HTML>
<HEAD>
<TITLE> Failed < / TITLE >
< / HEAD >
<BODY>
Your user name or password is incorrect <BR>
Sorry , you are not allowed to access this page
< / BODY >
< / HTML >
logout.php file
<HEAD>
<TITLE> Failed < / TITLE >
< / HEAD >
<BODY>
Your user name or password is incorrect <BR>
Sorry , you are not allowed to access this page
< / BODY >
< / HTML >
logout.php file
<?
session_start ( ) ;
unset ( $ _SESSION [' login ' ] ) ;
session_destroy ( ) ;
header ( " Location : login.php " ) ;
?>
session_start ( ) ;
unset ( $ _SESSION [' login ' ] ) ;
session_destroy ( ) ;
header ( " Location : login.php " ) ;
?>
Now, a description of these files will be given in a next article . What is clear , using the fifth file , the facility to sign in and sign out will be made more secure even if you click back and forward buttons in your browser repeatedly . Good luck and creativity .
0 komentar:
Post a Comment