How to protect my login page

Question

How to protect my login page

I have a login.html webpage that allows a user to enter a username and password. When it clicks on submit, I collect the entered value using Javascript and then do an AJAX POST Call in the php file and send the username and password.

Does it bother me that this is a safe way to send username and password? If not, how can I protect this transaction of sending data from an html file to php that runs the backend?

Then the php file connects to MySql Db and checks if the user is logging out and if the password is correct. If so, does it just send the valid text back to the ajax calls to the javascript function, if not I determine that this is an invalid user?

Am I not completely happy with this logic? Is there a better way to implement this process? Since I put my code into production, I want to provide it as much as possible.

The code below works just fine, I just need some tips to protect it.

login.html

<div>
    <h3>Login information</h3>

    <input type="text" name="user" id="usrnm" placeholder="Username/Email">
    <input type="password" name="pswdlogin" id="pswdlogin" placeholder="Password">
    <input type="checkbox" name="keepmeloggedin" id="keepmeloggedin" value="1" data-mini="true">
    <input type="submit" data-inline="false" onclick="logmein()" value="Log in">
    <div id="loginstatus">    </div>
 </div>

logmein.js

function logmein() {

  var usrnm = document.getElementById("usrnm").value;
  var pswdlogin = document.getElementById("pswdlogin").value;

  $.post("http://xyz/mobile/php/logmein.php",
    {
      usrnm: usrnm,
      pswdlogin: pswdlogin
    },
    function(data, status) {

      if (data == 'Valid') {

        window.open("http://xyz/mobile/home.html?email=" + usrnm + "", "_parent");

      } else {
        alert(data);
        document.getElementById("loginstatus").innerHTML = data;
      }
    });
}

logmein.php

<?php

$usrnm_original = $_POST['usrnm'];
$pswdlogin_original = $_POST['pswdlogin'];

$con = mysqli_connect("localhost", "cSDEqLj", "4GFU7vT", "dbname", "3306");

if (mysqli_connect_errno())
    {
    echo "Failed to connect to MySQL: " . mysqli_connect_error();
    }

mysqli_select_db($con, "dbname");
$usrnm = mysqli_real_escape_string($con, $usrnm_original);
$pswdlogin = mysqli_real_escape_string($con, $pswdlogin_original);

$result = mysqli_query($con, "SELECT * FROM registration WHERE email = '" . $usrnm . "' AND password='" . $pswdlogin . "' ");
$rows = mysqli_num_rows($result);

if ($rows == 1)
    {
    echo "Valid";
    }
  else
    {
    echo "In Valid Credentials Entered";
    }

mysqli_close($con);
?>

+4

javascript jquery html5 ajax php

user3846091 Sep 08 '14 at 16:05

source share

2 answers

, "" , HTTPS , (, ), HTTPS , , .

, AJAX HTML-, .

( HTTPS cerficates ), " ": , ( , ...)

, , , Laravel, , Slim Silex, .

, , - ? , , , , , .

:

" " (TM)

+1

mTorres 08 . '14 17:02

Ohgodwhy · Accepted Answer · 2014-09-08T16:29:25+0000

This really applies to codereview.stackexchange.com, but I will still give it a chance.

First, I would add the csrf token to your form to stop these types of attacks.

//the most simple type of csrf token
if (!isset($_SESSION['token'])):
    $token = md5(uniqid(rand(), TRUE));
    $_SESSION['token'] = $token;
else:
    $token = $_SESSION['token'];
endif;

Then in your form enter a hidden input field:

<input type="hidden" name="token" id="token" value="<?php echo $token; ?>"/>

Then in your ajax add a token.

var usrnm = $('#usrnm').val();
var pswdlogin = $('#pswdlogin').val();
var token = $('#token').val();

{
    usrnm: usrnm,
    pswdlogin: pswdlogin,
    token: token
}

Then in your php, let me stop undefined index errors when directly accessing this page.

$usrnm_original = isset($_POST['usrnm'])?$_POST['usrnm']:false;
$pswdlogin_original = isset($_POST['pswdlogin'])?$_POST['pswdlogin']:false;
$token = isset($_POST['token'])$_POST['token']:false;

, , ,

if(!$_SESSION['token'] == $token):
    die('CSRF Attacks are not allowed.');
endif;

mysqli_query , mysqli_real_escape_string prepared. , , . , , .

$ret = array();
$mysqli = new mysqli("localhost", "cSDEqLj", "4GFU7vT", "dbname");

if($sql = $mysqli->prepare('SELECT * FROM registration WHERE email = ? and password = ?')):
    $sql->bind_param('ss', $usrnm_original, $pswd_original);

    if($sql->execute()):

        $sql->fetch();

        if($sql->num_rows > 0):
            $ret['status'] = true;
            $ret['msg'] = 'You have successfully logged in! Redirecting you now';
        else:
            $ret['status'] = false;
            $ret['msg'] = 'The credentials supplied were incorrect. Please try again';
        endif;
    endif;
    $sql->close();
    return json_encode($ret);
endif;

post.

$.post("http://xyz/mobile/php/logmein.php",
{
  usrnm: usrnm,
  pswdlogin: pswdlogin,
  token:token
},
function(data) {

  if (data.status == true) {

    window.open("http://xyz/mobile/home.html?email=" + usrnm + "", "_parent");

  } else {
    alert(data.msg);
    $('#loginstatus').text(data.msg);
  }
}, 'json');

, , , . , . , , sha256. , sha256, SQL, :

$pswdlogin_original = isset($_POST['pswdlogin'])? hash('sha256', $_POST['pswdlogin']):false;

, , fcec91509759ad995c2cd14bcb26b2720993faf61c29d379b270d442d92290eb.

, . , . , .

, .

How to protect my login page

More articles: