PHP Login

i was trying to make a login that posts to the login.php page then this is the script that runs

$password=$_POST['password'];
$username=$_POST['user'];

if($password=="*******" and $username="my admin user"){
redirect.http(http://www.arabian-outlaw.com/admin/jsgvjhsa.php";
}

elseif($password=="some other pass"){
redirect to google;
}

?>```
i suck on php so can someone tell me how to do the things i did wrong right

Alright, I wrote a little better login script for you. Just so you know, I normally do not comment seing as most of my work is mine and I can usually always understand what I did with something in the past, if not its just fun to figure it out :P

But I commented this for you, hope you like it.

Hopefully you understand it, if not just ask and I am sure I will or someone else will answer your questions..

The script is pretty self explanatory and can easily be added on to.

/**
 * userList array
 * --
 * An array of users and valid passwords for that user
 */
$userList = array(

	/**
	 * admin user valid password list
	 */
	"admin" => array(
		
		/**
		 * The password is the key of the array
		 * I do not expect you to use it like this rather get the output of hash("sha512", "pass") and replace it
		 * The value of the array is the location the user will be redirected to
		 */
		hash("sha512", "Password 1 for this user") => "http://google.com/",
		hash("sha512", "Password 2 for this user") => "http://yahoo.com/",
		hash("sha512", "Password 3 for this user") => "http://ask.com/"
	
	),

	/**
	 * anon user valid password list
	 */	
	"anon" => array(

		/**
		 * The password is the key of the array
		 * I do not expect you to use it like this rather get the output of hash("sha512", "pass") and replace it
		 * The value of the array is the location the user will be redirected to
		 */	
		hash("sha512", "Anonymouse Passord") => "http://hellboundhackers.org/"
	
	)

);

$userName = $_POST['user']; // The username submited from the form
$userPass = hash("sha512", $_POST['pass']); // Hash password submited from the form

if (array_key_exists($userName, $userList)) { // Check the userList array to see if the key exists "username"

	$userINFO = $userList[$userName]; // Create a new variable that holds the user password list
	
	if (array_key_exists($userPass, $userINFO)) { // Check the userINFO array to see if there password matchs any keys
	
		header("Location: {$userINFO[$userPass]}"); // Redirect the user to the location specified in the userINFO array from the userList array
	
	}
	
}

echo "Login Failed"; // Yea, hope you understand that.

?>```

enjoy

I recommend a php/sql login script there are some great articles out there also check the code bank for login scripts :P

Very true, but I was going off what he wanted…

It seems as though what he is doing is not going to be very secure any way… And there is really no point in creating a table and grabbing shit from it.. Plus it is a little more difficult to get into the database and add users / passwords for something this simple/insecure.

Yeah good point, Nice code you come up with though

Yea, very simple yet very nice and easy to use.

I am sure I could simplify it some more but would involve using some more advanced PHP.

He mentioned he is a newbie to PHP and figured it would be best to give him something simple and easy to understand / edit.

You would think that HBH would fucking edit there coding shit…

I am sorry but its true, this is a hacking site… Code is going to be every where and code is not suppose to have little smilies all over it and all be aligned to the left..

One of the reasons I do not want to submit more shit to the code bank

Yeah good point, Nice code you come up with though

how is it insecure? this is a one man login….

Well the login is secure, but I am just looking at what is going on…

Someone logs in and they are redirected to a new page. I might be wrong on this but my guess is there is no validation on the redirect pages, meaning this login really has no point. If someone manages to get a hold of the source some how, there are a million ways to get it, they could easily just visit the redirect link and have totally bypassed the login.

But it could easily be that this is just the login checker and you have not put anything else up about the rest of it such as a Cookie or Server Side Session.

I am kinda rambling right now, ain't totally in it right now.

But if this is just the basic login validation then it is fine.