|
|
Posted by Jim Michaels on 02/28/06 02:03
"Dalibor" <dalibor_gv@lycos.com> wrote in message
news:56p5y8qrli6c.xdq7cyxk74h0.dlg@40tude.net...
>I writed the following code for my loggin script:
> <?php
> $username = htmlentities($_POST['login']);
> $password = htmlentities($_POST['passw']);
> $submited = $_POST['submited']; // hidden variable in login form (value =
> 'yes')
> $browser_f = $_POST['browser']; // browser type and ver from login form
> $browser_l = $_SERVER['HTTP_USER_AGENT'];
> $time = time() - $_POST['time']; // time difference
> $page = "../admin/admin.php"; // protected page
>
> if (!isset($_REQUEST['login']) || ($submited != 'yes') || ($time > 180))
> {
> echo "\n Intruder alert!\n";
> exit(); }
> if ((!$username) || (!$password)) {
> echo "\n No data enetered!\n";
> exit(); }
> if(strstr($username,"<") || strstr($password,"<") || strstr($username,">")
> || strstr($password,">") || strstr($username,"script") ||
> strstr($password,"java")) {
> echo "\n No codding please!\n";
> exit(); }
> if ($username == 'username' && $password == 'password' && $browser_f ==
> $browser_l) {
> session_register("logged_in");
> header("Location:$page");
> exit(); }
> else {
> echo "\n Access denied!\n";
> exit(); }
> ?>
>
> Is this safe enougt or I should put some other checks in it?
> --
> .:Dalibor:.
then after they've logged in they can bypass the login and paste the url in
their browser. I don't know how much security you need. maybe you should
try a .htaccess file?
[Back to original message]
|