PHP Login Form with ANTI SQL INJECTION Script

>> DATABASE: CREATE TABLE IF NOT EXISTS `users` ( `username` varchar(50) COLLATE latin1_general_ci NOT NULL, `password` varchar(50) COLLATE latin1_general_ci NOT NULL, `full_name` varchar(100) COLLATE latin1_general_ci NOT NULL, `email` varchar(100) COLLATE latin1_general_ci NOT NULL, `phone` varchar(20) COLLATE latin1_general_ci NOT NULL, `level` varchar(20) COLLATE latin1_general_ci NOT NULL DEFAULT user, `block` enum(Y,'N) COLLATE latin1_general_ci NOT NULL DEFAULT N, `id_session` varchar(100) COLLATE latin1_general_ci NOT NULL, PRIMARY KEY (`username`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_general_ci; >> SCRIPT: 1. public_html/login_form.php <form name=login action=config/login_check.php method=post> <table> <tr><td>Username</td><td> : <input type=text name=username></td></tr> <tr><td>Password</td><td> : <input type=password name=password></td></tr> <tr><td colspan=2><input type=submit value=Login></td></tr> </table> </form> 2. public_html/config/login_check.php <?php include conn.php; //connection file function anti_injection($data){ $filter = mysql_real_escape_string(stripslashes(strip_tags(htmlspecialchars($data,ENT_QUOTES)))); return $filter; } $username = anti_injection($_POST['username']); $pass = anti_injection(md5($_POST['password'])); //make sure the username and password are character or number. if (!ctype_alnum($username) OR !ctype_alnum($pass)){

echo Bingo!! Now the login form is secure. No more SQL Injection.; } else{ $login=mysql_query(select * from users where username=$username and password=$pass and block=N'); $found=mysql_num_rows($login); $r=mysql_fetch_array($login); //If found the username and password if ($found > 0){ session_start(); include timeout.php; $_SESSION[username] = $r[username]; $_SESSION[fullname] = $r[full_name]; $_SESSION[passuser] = $r[password]; $_SESSION[leveluser] = $r[level]; // session timeout $_SESSION[login] = 1; timer(); $old_sid = session_id(); session_regenerate_id(); $new_sid = session_id(); mysql_query(update users set id_session=$new_sid where username=$username); header(location:../clientarea/index.php); //page redirection, after success login } else{ echo <center>LOGIN FAILED!!<br/> Wrong username or password.<br/> Or your account being blocked.<br/>; echo <a href=../index.php><b>Please repeat again.</b></a></center>; } } ?> 3. public_html/config/timeout.php <?php session_start(); function timer(){ $time=10000; //set the timer

$_SESSION[timeout]=time()+$time; } function login_check(){ $timeout=$_SESSION[timeout]; if(time()<$timeout){ timer(); return true; }else{ unset($_SESSION[timeout]); return false; } } ?> 4. public_html/config/logout.php <?php session_start(); session_destroy(); echo <center>You have successfully exit the system.<b>[LOGOUT]</b></center>; ?> 5. Add this script before <html> tag to the public_html/clientarea/ALLPAGES.PHP (all pages) <?php session_start(); error_reporting(0); include ../config/timeout.php; if($_SESSION[login]==1){ if(!login_check()){ $_SESSION[login] = 0; } } if($_SESSION[login]==0){ header(location:../config/logout.php); } else{ if (empty($_SESSION['username']) AND empty($_SESSION['passuser']) AND $_SESSION['login']==0){ <center>To access this area, you have to login first!<br/>; echo <a href=../index.php><b>LOGIN</b></a></center>; } else{ ?> <html>

6. And add this closing script after </html> tag to the public_html/clientarea/ALLPAGES.PHP (all pages) </html> <?php } } ?> <! FINISH >
http://zer03s.blog.com/php-login-form-with-anti-sql-injection-script/