#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    56
    Rep Power
    3

    PHP Login System 5 Levels Security


    Hi,

    I need a login script with user access level for my site and in my search for such a one script I came across PHP Login System script, which has 5 levels.

    I need help how I can modify this script to only 3 user levels, which should be Level 3 - Admin, Level 2 - Master, Level 1 - Agent. I have tried to do it myself but with my little programming knowledge I could not comprehend the script enough for modifying it myself.

    I will appreciate any help.

    Thanx.

    Joseph
    Last edited by josephbupe; March 13th, 2013 at 04:48 AM.
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    those scripts are garbage, don't use them.

    • Look at the date: The scripts haven't been updated since 9 years. Many functions (eregi_replace(), mysql_query()) are long obsolete and will flood your screen with deprecation warnings on any current PHP version.
    • The "security" is laughable: The code relies on the infamous "Magic Quotes" feature, which should not even exist on your server. Sometimes the programmer even circumvents this feature, leaving the queries wide open to SQL injections even on old PHP setups with "Magic Quotes" turned on. And occasionally he escapes the values by hand. WTF? For the HTML, there's no escaping at all. SQL errors are reported to the user etc.
    • The "forgot password" let's me change the password of any other user. And since it generates the password from weak "random" numbers, I even have a chance to guess it.
    • MD5 hashes aren't exactly state of the art.
    • ...


    I could go on forever, but I think you get the point. Given the fact that this is supposed to be a security script, the total lack of security is just emberassing.

    You should generally be very careful with scripts you find somewhere on the internet. Many of them are written by bad amateur programmers, who don't have a clue about security, let alone best practices. Many of them are also horribly outdated and haven't been touched since a decade or more.

    Either write your own scripts (check the link in my signature to avoid the mistakes mentioned above). Or find an established project with professional developers and constant updates. PHP evolves, so the scripts need to keep up to that. 15-year-old code problably won't work so well today.
    Last edited by Jacques1; March 13th, 2013 at 07:25 AM.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6352
    There is a login system tutorial right in the FAQs and Stickies of the PHP forum (at the top of the list).

    There's also a "hire a programmer" forum if you want to simply pay someone to do this for you.

    Few here will volunteer to do a security script for you for free. It's tedious and kind of annoying, and will only result in you asking for more (free) help.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.

IMN logo majestic logo threadwatch logo seochat tools logo