1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 9:55 pm May 1, 2026

Forum Moderators: coopster

Message Too Old, No Replies

Please critique my code

         

tyrone04

10:51 pm on Aug 29, 2005 (gmt 0)

10+ Year Member



login.php 


<?php  
session_start();  
if(isset($_SESSION['access_error'])) 
{ 
$error_msg = "Please login before accessing the member page."; 
} 
if(isset($_POST['password']) ¦¦!empty($_POST['password'])) { 
if ($_POST['password'] == "2005")  
{  
$_SESSION['loggedin'] = true;  
header("Location: http://www.example.com/loggedin.php"); 
}  
else 
{ 
$error_msg = "Incorrect login, please try again."; 
} 
} 
?> 
<?PHP print '<font color="red">' . $error_msg . '</font>';?> 
<p><strong>Member login:</strong></p> 
    
<form method="post" action="<?PHP $_SERVER['PHP_SELF'];?>"> 
<input type="password" name="password"> 
<input name="submit" type="submit" value="submit"> 
</form>

loggedin.php

<?php
session_start();
if (!isset($_SESSION['loggedin']))
{
$_SESSION['access_error'] = true;
header("Location: http://www.example.com/login.php");
}
?>
<html>
<head>
<title>Logged in successful!</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<p>Welcome, member!</p>
</body>
</html>

Please let me know what you think about my code. I welcome any suggestion of changes to make it better/more secure. Thanks!

sixdeep

12:50 am on Aug 30, 2005 (gmt 0)

10+ Year Member



Looks good from my POV

Was there something wrong with it in particular?

tyrone04

6:06 am on Aug 30, 2005 (gmt 0)

10+ Year Member



What I don't like:

When I put down the wrong password on the login.php page, the error msg shows up. Then when I re-enter the correct password, it takes me to the loggedin.php page. Then say on that loggedin.php I press the back button to go back to the login.php page, the browser shows me the following message:


Warning: Page has Expired The page you requested was created using information you submitted in a form. This page is no longer available. As a security precaution, Internet Explorer does not automatically resubmit your information for you.

To resubmit your information and view this Web page, click the Refresh button.

Anyway to make the browser not display that message when I press the back button?

DaButcher

7:06 am on Aug 30, 2005 (gmt 0)

10+ Year Member



What you can do:

Instead of having one page for login and one page for logged_in, make a page with login, which you require at the very top of your "secure" pages.

If they are not logged in, parse the login box and use exit(); to stop further parsing of that page.
You dont need to catch the event of "is logged in", unless you wish to do something with the "logged in data".

I hope your following me.

mcibor

10:18 pm on Aug 30, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Moreover NEVER! store your password in open text!
Always use a one way encoding, eg. md5 hash

...
if(isset($_POST['password']) ¦¦!empty($_POST['password'])) {
if (md5($_POST['password']) == "d47268e9db2e9aa3827bba3afb7ff94a")
{
$_SESSION['loggedin'] = true;
header("Location: http://www.example.com/loggedin.php");
}
...

However, don't you wish to know who's coming to your website?
If yes, then I recommend using a database to store the user name and hash of his password.

Best regards
Michal Cibor

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 9:55 pm May 1, 2026