Home/ Questions/Q 7732001
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-01T06:37:20+00:00

I need to implement for current project some secure login in php. I wrote

  • 0

I need to implement for current project some secure login in php.
I wrote something with pdo prepared statements with old code having in mind. I need advices to implement more secure maybe, or to examine is it proof to sql inj, attacks.

 <form action="validate.php" method=post>
    <table class="loginForm">
       <thead></thead>
       <tbody>
          <tr>
            <td>UserName:</td>
            <td><input name=user_name></td>
          </tr>
          <tr>
           <td>Pass:</td>
           <td><input type=password name=password></td>
          </tr>
          <tr>
           <td><input class=loginBtn type=submit value='Log me in' name=login></td>
         </tr>
       </tbody>
    </table>
</form>

Validate.php

session_start();    
try {
    $host = 'localhost';
    $dbName = 'xxx';
    $dbUser = 'xxx';
    $dbPass = 'xxx';
    # MySQL with PDO_MYSQL  
    $DBH = new PDO("mysql:host=$host;dbname=$dbName", $dbUser, $dbPass);
    $DBH->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch (PDOException $e) {
    echo "I'm afraid I can't do that.";
    file_put_contents('PDOErrors.txt', $e->getMessage(), FILE_APPEND);
}

$STH = $DBH->prepare("SELECT * FROM `Admins` WHERE `username` = '$user_name' AND password='$password'");
$STH->execute();

$STH->setFetchMode(PDO::FETCH_ASSOC);
$affected_rows = $STH->fetchColumn();

if($affected_rows == 1) {
    //add the user to our session variables
    $_SESSION['username'] = $user_name;
    header("Location: http://www.mysite.com/administration/index.php");
        exit;
        //print 'allowed';
        }
    else {
        print 'access is not allowed !!!';
    }

Updated:
Thanks to accepted answer bellow my query is coded now like this

$STH = $DBH->prepare('SELECT * FROM Admins 
                      WHERE username = :user and password = :pass');
$STH->execute(array(':user' => $_POST['user_name'], 
                    ':pass' => $_POST['password']));

Which is fine.
Now I just want to be sure is my authentication is good enough to use it on admin pages like this
session_start();

try {
    $host = 'xx';
    $dbName = 'xxxx';
    $dbUser = 'xxxxx_first';
    $dbPass = 'xxx';
    # MySQL with PDO_MYSQL  
    $DBH = new PDO("mysql:host=$host;dbname=$dbName", $dbUser, $dbPass);
    $DBH->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch (PDOException $e) {
    echo "I'm afraid I can't do that.";
    file_put_contents('PDOErrors.txt', $e->getMessage(), FILE_APPEND);
}

if (empty($_SESSION['username'])) {
    die('To access pages you have to be loged in.
    <a href="/administration/login.php">log in</a> ');

}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You can type query like this to avoid Sql Injection

    $STH = $DBH->prepare('SELECT * FROM Admins 
                      WHERE username = :user and password = :pass');
$STH->execute(array(':user' => $_POST['user_name'], 
                    ':pass' => $_POST['password']));
    • 0