How to write authorization in php using cookies or sessions?

Y

Yaroslav Nikitin2014-09-10 18:23:35

PHP

Yaroslav Nikitin, 2014-09-10 18:23:35

Hello. The third day I'm trying to write authorization in php. At the bottom, I left the registration code, specially removed all checks, classes, etc., so as not to interfere with the main content. What is the essence of the question: I can’t write a simple authorization, at least for a test. How it should work: there are two fields named name, password; they contain data, if the login table contains name and password data, then you need to save this data in cookies and go to the members page, in other words, log in and do not log into your account again.

<form name = "login" method = "POST" action = "">
  <div>Введите логин: </div>
  <input  type = "text" size="40" name = "name" autocomplete = "off" value="<?php echo $_POST['name']; ?>" >
  <div>Введите имя и фамилию: </div>
  <input  type = "text" size="40" name = "firstname" autocomplete = "off" value="<?php echo $_POST['firstname']; ?>" >
  <div>Введите почту: </div>
  <input  type = "text" size="40" name = "email" autocomplete = "off" value="<?php echo $_POST['email']; ?>" >
  <div >Введите пароль: </div>
  <input  type = "password" size="40" name = "password" autocomplete = "off">
  <div>Повторите пароль: </div>
  <input type = "password" size="40" name = "passwordTwo" autocomplete = "off">
  <input type = "submit" value = "Отправить" name = "registr">
</form>

<?php 
  if (isset($_POST['registr']))
  {
    Connect_MySQL_database(); /* подключение к БД */
    mysql_select_db(DBUSERNAME) or die(mysql_error());
    $login = "INSERT INTO login (name, firstname, email, password) 
          VALUES('".$_POST["name"]."', '".$_POST["firstname"]."', '".$_POST["email"]."', '".$_POST["password"]."')";
    mysql_query($login) or die(mysql_error());	
    echo "<div class = \"error\">Вы успешно зарегистрированы</div>";
    }
?>

login.php

<form name = "loginer" method = "POST" action = "">
  <div >Введите логин: </div><input type = "text" size="40" name = "name">
  <div >Введите пароль: </div><input type = "password" size="40" name = "password">
  <center><input type = "submit" value = "Отправить" name = "registr"></center>
</form>

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

S

Sergey, 2014-09-10
Protko @Fesor

1) throw out mysql_* and use mysqli/PDO and prepared statements. You can already do SQL injections there
2) screen the data output, they say not just echo $_POST, but echo htmlentities ($_POST) or go through with a strip tag to remove all script injections. You already have an XSS vulnerability in your templates.
3) don't work directly with $_POST.
4) do not use cookies, use sessions (they are still tied through cookies)
5) hash passwords. at least md5 with random salt. and even better sha512.
Well, if on business - and where do you write in cookies? I don't see any work with cookies/session at all. Look in the browser debugger to see if they have registered.