PHP Password Login

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: egami, macek, gesf

Post Reply
User avatar
dinoroger
New php-forum User
New php-forum User
Posts: 12
Joined: Mon Feb 20, 2017 1:59 pm

Wed Feb 22, 2017 7:39 pm

So I am attempting to create a very simple password only login page to navigate to secure PHP file (admin.php). When I mean simple it does not require a username and does not use a database in any way. It is of course as secure as the password you create. Currently my main protection is PHP itself as it does not render to the browser and unless the server breaks and treats a PHP file as an ASCII file I am under the impression that PHP is fairly safe because of this. Please correct me if I am wrong as I am new to the security proofing side of PHP. Below is an example and flow chart of the process I am thinking about. The password is stored in a PHP variable and is never transferred to the client side. Also the admin.php file has a variable set check so it could not be browsed to directly. Please poke as many holes as you want as I am learning and anything you can teach would be appreciated.

Image

LOGIN.PHP FILE

Code: Select all

<!DOCTYPE html>
<?php
/*This file conatins the password.
The reason it is in a different files is because
this file will hold all settings (PHP variables)
for storing saved settings. No client side code. */
include('settings.php');
?>
<HTML>
	<HEAD>
		<script type='text/javascript'>
			function openWindowWithPost(url, params, newWin){
				//Changes page URL with POST parameters
				var form = document.createElement('form');
				form.setAttribute('method', "post");
				form.setAttribute('action', url);
				form.setAttribute('target', '_self');
				for (var i in params){
					if (params.hasOwnProperty(i)){
						var input = document.createElement('input');
						input.type = 'hidden';
						input.name = i;
						input.value = params[i];
						form.appendChild(input);
						if (newWin != undefined){
							form.target = '_blank';
						}
					}
				}
				document.body.appendChild(form);
				form.submit();
			}
			
			function login(){
				//Reloads the page with the POST parameter "letmein" set as password
				var params = {};
				params['letmein'] = document.getElementById('pswd').value;
				openWindowWithPost('Login.php', params);
			}
		</script>
	</HEAD>
	<BODY>
		<?php
		if (@$_POST['letmein'] != $securityWord){
			//No password or invalid password
			if (@$_POST['letmein'] != ''){
				//If password was invalid
				echo "<script type='text/javascript'>alert('Incorrect password');</script>".PHP_EOL;
			}
			?>
			<!-- Login HTML -->
			Password:
			<input type='password' id='pswd' />
			<button onclick='login();'>LOGIN</button>
		<?php
		} else {
			//Password was correct. Include page that is secure.
			include ('admin.php');
		}
		?>
	</BODY>
</HTML>
SETTINGS.PHP FILE

Code: Select all

<?php
$securityWord = 'password';

/*This page would contain more settings but 
for this example I am keeping it as basic as
possible. */
?>
ADMIN.PHP

Code: Select all

<?php
if (!isset($securityWord)){die('This is a secure site. Please use the login file (Login.php).');}
?>
You made it to the secure page!!!

AdoptiveSolution
New php-forum User
New php-forum User
Posts: 163
Joined: Wed Jun 15, 2016 8:35 am

Thu Feb 23, 2017 2:37 am

This looks cleaner :

Code: Select all

<?php
include('settings.php');

$login = NULL;

if ( isset( $_POST['letmein'] ) ) {
	if( $_POST['letmein'] == $securityWord ) {
		$login = TRUE;
	} else {
		$login = FALSE;
	}
}
?>
<!DOCTYPE html>
<html>
	<head>
		<title><?php echo ( $login === TRUE ? 'Admin' : 'Login' ); ?></title>
	</head>
	<body>
		<?php
		if ( $login === TRUE ){
			//Password was correct. Include page that is secure.
			include ('admin.php');
		} else {
			//No password or invalid password
			if ( $login === FALSE ) {
				echo "<script>alert('Incorrect password');</script>".PHP_EOL;
			}
			?>
			<!-- Login HTML -->
			<form method="POST">
			Password:
			<input type='password' id='pswd' name='letmein' autofocus />
			<input type="submit" name="submit" value="LOGIN" />
			</form>
		<?php
		}
		?>
	</body>
</html>

User avatar
dinoroger
New php-forum User
New php-forum User
Posts: 12
Joined: Mon Feb 20, 2017 1:59 pm

Thu Feb 23, 2017 5:56 am

Thanks yeah I got lazy and was used to using my function openWindowWithPost for a quick form for mainly POSTing to a new window browser. In this example yeah the function is not needed.

Getting back to the question on hand. Is the security method sound? I know the strength relies on a good password. What other things should I do to protect it. Some ideas I was thinking include:
  • Limit the # of attempts somehow
  • Put a captcha system in to prevent bot login attempts
  • Create a username field also even though there is no user management system
Any suggestions like this or areas of the code you could see are completly unsecure?

User avatar
Strider64
php-forum Active User
php-forum Active User
Posts: 310
Joined: Sat Mar 23, 2013 8:24 am

Thu Feb 23, 2017 9:54 am

Code: Select all

include('settings.php');

$login = NULL;

if ( isset( $_POST['letmein'] ) ) {
	if( $_POST['letmein'] == $securityWord ) {
		$login = TRUE;
	} else {
		$login = FALSE;
	}
}
?>
even cleaner

Code: Select all

include('settings.php');

$login = NULL;

if ( isset( $_POST['letmein'] )  && $_POST['letmein'] === $securityWord) {
   $login = TRUE;
} else {
    $login = FALSE;
}
?>
and instead of a variable why not use a constant? Like this:

Code: Select all

  define('PASSWORD', 'your_db_password');
and by obfuscating variables is basically meaningless and in my opinion having variables (or constants) stand for something meaningful. Just my .02 cents.

User avatar
dinoroger
New php-forum User
New php-forum User
Posts: 12
Joined: Mon Feb 20, 2017 1:59 pm

Thu Feb 23, 2017 10:21 am

The constant makes allot of sense. Yes I will try to use cleaner code but I just quickly put together this example with no real though other that the functionality. I guess I am glad that no one has spoken of a huge design flaw as of yet. Other than the method of coding any thoughts about the overall concept. Is it secure enough or should I take it to the next step and add a username constant, captcha, or other things?

Post Reply