Is this safe?

S

Shadow121

Member
Messages
901
Reaction score
0
Points
16
Can someone please tell me if this is safe then maybe suggest ways to make it safer?

The function Encode is using md5(sha1()); for protection.
Code: 
<?php
if(!isset($_SESSION[logged_in]) && !$logged[username] && !$_POST[login]){
echo "<form method='post' action='index.php?x=login'>
<b>Username</b>:<br />
<input type='text' name='user' size='15'><br />
<b>Password</b>:<br />
<input type='password' name='pass' size='15'><br />
<input type='submit' name='login' value='Login'>
</form>";
}elseif(!isset($_SESSION[logged_in]) && !$logged[username] && $_POST[login]){
$user = mysql_real_escape_string(stripslashes($_POST[user]));
$pass = Encode(stripslashes($_POST[pass]));
if(empty($user) || empty($pass)){
echo "<B>Error</b>: You Left A Field Blank";
}
$check = mysql_query("SELECT id, username, password FROM users WHERE username = '$user' AND PASS = '$pass' LIMIT 1");
if(mysql_num_rows($check) > 0){
$_SESSION[logged_in] = "1";
$_SESSION[user] = $user;
$_SESSION[pass] = $pass;
echo "You Have Been Logged In Successfully <meta http-equiv=\"Refresh\" content=\"4;url= index.php?x=cp\">";
}else{
echo "<b>Error</b>: Invalid Password, Or user Does Not Exist.";
}
}elseif(isset($_SESSION[logged_in]) && $logged[username]){
echo "<b>Error</b> You Are Already Logged In.<meta http-equiv=\"Refresh\" content=\"4;url= index.php?x=cp\">";
}
?>
 
M

Micro

Retired staff <i> (11-12-2008)</I>
Messages
1,301
Reaction score
0
Points
36
Just a hint, do a strip_tags on the username field -- if someone sneaks HTML into there, and you do something with it your users can really mess up your site, especially if their username is shown to other users.
 
You must log in or register to reply here.
Top