Alright so after many people asking me to post the login script I use for my site at locatestyle.com, I made two functions. Now these functions do not include everything that is used for the login procedure on locatestyle.com due to the fact I don't want everyone to know how the complete script works on there. Figure if you know completely how it works, the easier it is to find security flaws. Now granted this could be more secure by using cookies in conjunction with a column in the database for the cookie value to be stored but here's the basis. Let me know what you think and if you run into any errors.

function doLogin($username,$password) {
    if($_SERVER['SERVER_NAME'] == URL) {
        $find_user = mysql_query("SELECT * FROM ".USERS_TABLE." WHERE username = '$username' AND password = '$password' LIMIT 1");
        if(mysql_num_rows($find_user) == 1) {
            $user = mysql_fetch_array($find_user);
            if($user['active'] == 1) {
                $update_login = mysql_query("UPDATE ".USERS_TABLE." SET last_login = '".time()."',login_ip = '".$_SERVER['REMOTE_ADDR']."', WHERE id = '".$user['id']."'");
                $_SESSION['id'] = $user['id'];
                mysql_free_result($find_user);
            } else {
                $login_error = "Your account has not been activated yet.";
            }
        } else {
            $login_error = "Wrong username/password.";
        }
    } else {
        die("You do not have permission to login to this site.");
    }
}

function checkLogin() {
    if($_SESSION['id'] != '') {
        $user = mysql_fetch_array(mysql_query("SELECT * FROM ".USERS_TABLE." WHERE id = '".$_SESSION['id']."' LIMIT 1"));
        if($user['login_ip'] == $_SERVER['REMOTE_ADDR']) {
            $expired = $user['last_login'] + 600;
            if(time() >= $expired_time) {
                session_destroy();
                header('Location: index.php');
            } else {
                $update_login = mysql_query("UPDATE ".USERS_TABLE." SET last_login = '".time()."' WHERE id = '".$user['id']."'");
            }
        } else {
            session_destroy();
            header('Location: index.php');
        }
    }
}

Now if your new to PHP and don't know what you need to change or how or even what columns you need in your table don't be afraid to ask.

I hope you are validating that password.
$username = "blahblah";
$password = "blah' or '2' = '2"

if not, I could log in with just that.

The password is validated by the function e.g. if password in the database is 'ghost' the only way a user will be able to login is with the password ghost

This article has been dead for over six months. Start a new discussion instead.