I have made this:
<?php
// Establishing Connection with Server by passing server_name, user_id and password as a parameter
$connection = mysql_connect("localhost", "root", "");
// Selecting Database
$db = mysql_select_db("cavallo", $connection);
session_start(); // Starting Session
// Storing Session
$user_check = $_SESSION['login_user'];
// SQL Query To Fetch Complete Information Of User
$ses_sql = mysql_query("select username from login where username='$user_check'", $connection);
$row = mysql_fetch_assoc($ses_sql);
$login_session = $row['username'];
if (!isset($login_session)) {
mysql_close($connection); // Closing Connection
header('Location: index.php'); // Redirecting To Home Page
}
?>
It is the protocol of a session made by me, I fear it is not safe.
Do you think there is a way to crack this method?
login.php file: https://gist.github.com/anonymous/d7db3ea76fc4258d6512
Update: I re-created all the script with online guides for a secure login.thanks for helping me and reported the problem
Storing passwords as strings is not secure.
Read this. I think it may help you.
And read more about SQL injection, password hashing, using salt with passwords, session hijacking.
No. it's highly insecure.
Follow these step to secure your login system:
Store password in hash format so that your employees can't see your user password.
How to hash your password:
a. Get user password and immediately hash them.
$password = $_POST['password'];
$password = hash('sha256',$password);
b. Store this hash password in your database.
Now how to check user credential.
$username = $_POST['username'];
$password = $_POST['password'];
settype($username,"string");
$password = hash('sha256',$password);
$stmt = $dbConnection->prepare('SELECT * FROM login WHERE username = ? and password = ?');
$stmt->bind_param('s', $username,$password);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
// do something with $row
}
Use prepared statements and parameterized queries is impossible for an attacker to inject malicious SQL. You can try that by PDO and Mysqli query.
Example of PDO
PDO is that the SQL statement you pass to prepare is parsed and compiled by the database server.
//setting up connection
$dbconn = new PDO('mysql:dbname=dbname;host=127.0.0.1;charset=utf8', 'root', '');
//prepare query
$user_check=$_SESSION['login_user'];
$prepareQuery = $db->prepare('INSERT INTO table (column) VALUES (:column)');
$perpareQuery->execute(array('column' => $user_check));
foreach($perpareQuery as $row) {
}
I see a fundamental bug: you're only checking whether the username exists - you're not even looking at the input password. So if I type in any existing user's username, your login page will grant me access. At the very least fix that bug; then go look at the other problems (SQL injection, no password hashing) that others have mentioned.