0

I am totally new to PHP and mySQL and I built a small login form for my website. As the descriptions on the internet for such a thing are much more extensive, I just want to ask you if this is a secure way to do it, as it was just a few lines and it works:

First I create a table in phpMyAdmin with username and password (hashed with md5). After that I run the login on the website with the following script, where the $_POST stuff comes from a form.

<?php
    session_start();
    $db = @mysqli_connect("...", "...", "...") or
    die("Connection failed!");
    mysqli_select_db($db,'...'); 
    if(isset($_POST['username']))
    {
        $_SESSION['user'] = $_POST['username'];
        $_SESSION['password'] = md5($_POST['password']);
        $user = $_SESSION['user'];
        $password = $_SESSION['password'];
        $sql = "SELECT * FROM logins WHERE username = \"$user\"";
        $result = $db->query($sql);
        $row = $result->fetch_assoc();
        if($row["password"] == $password)
        {
            $_SESSION['logged'] = "loggedin";
        }
    }
?>

The Logout Script is very easy as well.

<?php
    session_start();
    session_destroy();
    unset($_SESSION['user']);
    unset($_SESSION['password']);
    header('Location: ../index.php');
?>

Moreover I restrict every private content with

<?php
     if (isset($_SESSION['logged']))
     {
         $temp = $_SESSION["user"];
         echo "Hello $temp, nice to see you!";
     }
?>

or I make a redirection.

So here are my questions:

  1. Is this a secure way to do it? Can It be hacked easily?
  2. What sense does md5 make if a reverse lookup is possible?

Thank You!

  • 3
    The first question is probably better suited for [Code Review](http://codereview.stackexchange.com/) – devlin carnate May 03 '16 at 17:40
  • 2
    You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure) and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard May 03 '16 at 17:46
  • 1
    [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard May 03 '16 at 17:47
  • 1
    Possible duplicate of [How secure is my PHP login system?](http://stackoverflow.com/questions/8691076/how-secure-is-my-php-login-system) – devlin carnate May 03 '16 at 18:04
  • **WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/5.2/authentication) built-in. At the absolute least follow [recommended security best practices](http://www.phptherightway.com/#security) and never store passwords as plain-text or using the flimsy MD5 method. – tadman May 03 '16 at 19:08
  • I feel bad that everyone's jumping on you here, but this code contains a whole laundry list of severely bad problems. You're even using PHP's YOLO operator `@` to ignore any errors that might come up. This is the opposite of secure: It gives people a way to hack into your site. – tadman May 03 '16 at 19:09
  • @tadman: Totally okay :-). I expected it. Answers and comments showed me that there is lots of stuff to do. I just wondered how easy it was to build up a login form without thinking of anything. –  May 04 '16 at 07:26

2 Answers2

1

You gotta lot of work ahead of you. Here are some good places to start. Take the ideas from here and Google because there is a lot of information out there that you will need to tap into.

For how to both server and submit the page see here Is HTTPS as the form's action enough?

For how to hash see here (currently my choice) Password Hashing Functions

Lastly read up on form validation and input sanitizing a good SO post is What's the best method for sanitizing user input with PHP?

Also, as one of the comments points out look into Prepared Statements

Hope this helps get you started on your journey.

Community
  • 1
  • 1
nerdlyist
  • 2,842
  • 2
  • 20
  • 32
0

You have no security whatsoever, since you are POSTing both the username and the password. They are sent over the internet in clear text, unless you are using HTTPS. The MD5 encoding is pretty useless too.

A more secure way would be to encode the password BEFORE POSTing it, ideally with an expiring timestamp, so it cannot be reused after x amount of time.

Also, your sql statement uses a POSTed value without any sanitizing, this exposes your database to sql injection...

Please don't use your code on any strategic database.

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
Webomatik
  • 844
  • 7
  • 7