Is this PHP/MySQL login script secure?

Posted by NightMICU on Stack Overflow See other posts from Stack Overflow or by NightMICU
Published on 2011-01-02T00:51:40Z Indexed on 2011/01/02 0:53 UTC
Read the original article Hit count: 347

Filed under:
|
|

Greetings,

A site I designed was compromised today, working on damage control at the moment. Two user accounts, including the primary administrator, were accessed without authorization. Please take a look at the log-in script that was in use, any insight on security holes would be appreciated. I am not sure if this was an SQL injection or possibly breach on a computer that had been used to access this area in the past.

Thanks

<?php
    //Start session
    session_start();
    //Include DB config
    require_once('config.php');

    //Error message array
    $errmsg_arr = array();
    $errflag = false;
    //Connect to mysql server
    $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
    if(!$link) {
        die('Failed to connect to server: ' . mysql_error());
    }
    //Select database
    $db = mysql_select_db(DB_DATABASE);
    if(!$db) {
        die("Unable to select database");
    }

    //Function to sanitize values received from the form. Prevents SQL injection
    function clean($str) {
        $str = @trim($str);
        if(get_magic_quotes_gpc()) {
            $str = stripslashes($str);
        }
        return mysql_real_escape_string($str);
    }
    //Sanitize the POST values
    $login = clean($_POST['login']);
    $password = clean($_POST['password']);

    //Input Validations
    if($login == '') {
        $errmsg_arr[] = 'Login ID missing';
        $errflag = true;
    }
    if($password == '') {
        $errmsg_arr[] = 'Password missing';
        $errflag = true;
    }

    //If there are input validations, redirect back to the login form
    if($errflag) {
        $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
        session_write_close();
        header("location: http://tapp-essexvfd.org/admin/index.php");
        exit();
    }

    //Create query
    $qry="SELECT * FROM user_control WHERE username='$login' AND password='".md5($_POST['password'])."'";
    $result=mysql_query($qry);

    //Check whether the query was successful or not
    if($result) {
        if(mysql_num_rows($result) == 1) {
            //Login Successful
            session_regenerate_id();
            //Collect details about user and assign session details
            $member = mysql_fetch_assoc($result);
            $_SESSION['SESS_MEMBER_ID'] = $member['user_id'];
            $_SESSION['SESS_USERNAME'] = $member['username'];
            $_SESSION['SESS_FIRST_NAME'] = $member['name_f'];
            $_SESSION['SESS_LAST_NAME'] = $member['name_l'];
            $_SESSION['SESS_STATUS'] = $member['status'];
            $_SESSION['SESS_LEVEL'] = $member['level'];
            //Get Last Login
            $_SESSION['SESS_LAST_LOGIN'] = $member['lastLogin'];
            //Set Last Login info
            $qry = "UPDATE user_control SET lastLogin = DATE_ADD(NOW(), INTERVAL 1 HOUR) WHERE user_id = $member[user_id]";
            $login = mysql_query($qry) or die(mysql_error());
            session_write_close();
            if ($member['level'] != "3" || $member['status'] == "Suspended") {
                header("location: http://members.tapp-essexvfd.org"); //CHANGE!!!
            } else {
                header("location: http://tapp-essexvfd.org/admin/admin_main.php");
            }
            exit();
        }else {
            //Login failed
            header("location: http://tapp-essexvfd.org/admin/index.php");
            exit();
        }
    }else {
        die("Query failed");
    }
?>

© Stack Overflow or respective owner

Related posts about php

Related posts about security