Tänk på följande:
- Se upp för SQL-injektion(stoppad av mysql_real_escape_string);
- Se upp för sessionsfixering/kapning;
- Se upp för attacker med brute force;
-
Kontrollera http://php.net/pdo för bättre felhantering och frågeparametrar....
<?php error_reporting(E_ALL); ini_set('display_errors', 1); if ($_SERVER['REQUEST_METHOD'] == 'POST') { $user = '***************'; $pass = '***************'; $host = '***************'; $data = '***************'; mysql_connect($host, $user, $pass) or die("Could not connect"); mysql_select_db($data) or die("Database Not Found"); $result=mysql_query("SELECT COUNT(1) FROM sec_login WHERE Username='".mysql_real_escape_string($_POST['username'])."' AND Password='".mysql_real_escape_string($_POST['password'])."'") or die(mysql_error()); if(mysql_result($result) == 1) { $_SESSION['username'] = $_POST['username']; header("location: ../index.php"); exit; } else { $message = 'You have failed to provide valid credentials.'; } } else { $message = '<form method="post"> <input type="text" name="username" value="username" /> <br /> <input type="password" name="password" value="password" /> <br /> <input type="submit" /> </form>'; } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Untitled Document</title> </head> <body> <?php echo $message; ?> </body> </html>