Edited code [7/1/2006 - evening]
Edited code [8/1/2006 - 17:04]
Edited code [9/1/2006 - 20:29]
some time ago it seemed interesting to learn a dynamic web application language, because I was still making all my sites in HTML. I first tried ASP, but when I almost got the hang of it I suddenly noticed I could have been better learning ASP.NET (with Microsoft's NET framework). Anyway, I choosed PHP then, mainly because it looked more simple, and you didn't have to choose another language like c# or vb to program the application in.
Fortunately I'm already experienced with some other programming languages, and it was quite simple. In a weekend I learnt php and rewrote the site of my mmorpg (from 70+ files to one index.php (MySQL)).
But that was quite easy, it was just some MySQL managing, that's it. Anyway, now I have to make a login script with sessions for a site of a game clan. I'm capable of doing that, but the problem is the security, I'm not experienced with that. That's why I want you guys to check and correct my script, it can be possible it have to be rewritten totally .
Anyway, here it is:
[Note]: Unfortunately there is no other 'encryption' used except from md5 (that's actually a hashing algorithm). I noticed PHP only has the crypt function as standard, and unfortunately I found out that's also just a hashing script. As you can see I tried some with mcrypt, a seperated library, but unfortunately that lib is not standard and also not supported by my host.
[Note II]: You will also notice there is no DOCTYPE at the beginning of the html pages. Anyway, when I got my php login script ready I will rewrite it to xhtml and add a DOCTYPE.
[Note III]: Some html code is not used correctly, for example I've written <br> instead of <br /> a few times. Well, I just want to say I'm aware of that, I'll improve my code when I got my final login script.
[Note IV, I made this red because I think I really did this wrong.]: Notice my way of securing. What I do is this: when he logs in and it's correct I store three session variables. One md5 hash of the username + hashed password, and two variables containing the username (not hashed because I will need it later) and the password hashed. When he enters another page he takes the two session variables with the username and hashed password, makes a new hash of it and compares it to the hash that was already stored when he logged in.
Now you've read this script you will probably say, "What the hell is that for a way of securing", and I know, it's a stupid way and certainly not secure. Anyway, that's why I asked you guys to help me.
I also read some about the mysql_real_escape_string() function, about html or mysql injection. Anyway, it was all quite unclear for me so I didn't add it to my script yet. Is that needed? What does it do exactly? It replaces some certain characters so injection is not possible? Something like that?