Is This A Good Script? A login script

[Ojkatii 0]

Okay, I am trying to password one page of my website. I need confirmation if this is a safe code or not. The whole code is on the page I'm protecting.

<?php include('header.php') ?><?php// Define your username and password$username = "THE_USERNAME";$password = "THE_PASSWORD";if ($_POST['txtUsername'] != $username || $_POST['txtPassword'] != $password) {?><h1>Login</h1><form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"><div align="center"><center><table border="0" cellpadding="5" cellspacing="0"><tr><td><label for="txtUsername">Username</label></td><td><input type="text" title="Enter your Username" name="txtUsername" /></td></tr><tr><td><label for="txtpassword">Password</label></td><td><input type="password" title="Enter your password" name="txtPassword" /></td></tr></table></center></div><p align="center"><input type="submit" name="Submit" value="Login" /></p></form><?php}else {?>The stuff being protected here....<?php } ?><?php include('footer.php') ?>

Is this a safe script, or could someone possibly discover the username and password?

[shadowx 0]

It seems good to me, i have a comment though, I think you should check the username and password input doesnt contain malicious code, you could use strip_tags or make your own cleaning script, its not a massive concern as theres no database involved but i think it would be possible for an adept coder to inject code by entering it in the username/password box on the form. Other than this it seems fine to me, im not saying its 1OO% safe, nothing really is but i would feel happy about using it on my site.

[Ojkatii 0]

Okay, thanks! All I needed was confirmation that it is somewhat safe. And thanks for the comments.

[jlhaslip 4]

Instead of using an assignment for the user name and password, check out the Define function. http://ca3.php.net/manual/en/function.define.php
It adds a little bit to the security because "defined" values can not be modified by the script, so it would eliminate one possible security risk.

Also, the first rule of using data from Forms is "NEVER TRUST USER INPUT". Always check the data to be certain it is not harmful.

[Codemaster Snake 0]

I would say that this is not a secure script. any body can easily hack into this script by linkin this with other script on some other terminal.He can easily modify the variables as they are defined globally. So, I won't recommend it.

[Stenno 0]

Use strtolower() function to make your login script NOT case sensitive. Case sensitive login system are safer but could be annoying for the visitor.if (strtolower($_POST['txtUsername'])!= strtolower($username) || strtolower($_POST['txtPassword']) != strtolower($password)) {

[Dok7as 0]

I think it is a good script

[mahirharoon 0]

it should be 100% safe because if the script is server side the server makes it html and sends to browser when we open view source it shows the page content but the problem comes when linking the hackers right clicks and choose save target as , to solve the problem the page which contains link should be any server side language or flash or javaEDITED BECAUSE:no grammar

Edited November 26, 2007 by mahirharoon (see edit history)

[de4thpr00f 0]

well, i can't say it's easy to hack and that anyone can break the code. Try to include the login part from other file. that way will be more secure. You can also add another security. A db, the form confirms the user on the db, and the conection is made from another php and voil?, an headache to hackers =)

[online 0]

yes but you should ad a "logged" = 12343 to it so it knows if the user is onlinethen you can use in other scripts :if get session "logged"=12343he/her get access to thingssorry for my english, and php, i had a bit hurry