I hope someone can help me here, I am creating a PHP web application that requires the user to log in to view the data in the mysql database there.
I just want to know if this is a good approach and is it protected enough? I know that nothing is safe in PHP scripts, but I need it safe enough.
So, here is what I am doing step by step, if you can point me in the right direction and tell me what is wrong, that would be great!
- User logs in with user and password.
- PHP checks the user and password for the database.
If everything is in order, I save $ SESSION ["username"]; (Here is the username).
Every time I load a request / page, I have a function (below) to check the session.
function check_session_valid () {if (! isset ($ _ SESSION ['username']) || $ _SESSION ['username'] == "") {header ("Location: /login.php"); }}
Is it safe now, or am I doing all this completely wrong?
Here's what I think of the fact that the user can “hack” the application:
On the registration page, when the user enters the username, he will inform them if the username is available.
So can a “hacker" not just find a username that is not available, and then write a PHP script to set $ _SESSION ["username"] in the browser. Then go to the .index.php page and log in to some other user account?
"session_start();" , "check_session_valid();" , ?
, , PHP-, !