How Secure Is This Login System? (Using Cookies In PHP)

Here’s a non-exhaustive list of problems/solutions:

  • Your code is difficult to read because it is not properly indented.
  • You should use prepared statemens to guard against SQL-injection.
  • You give hints to hackers by having different error messages. When the username is correct and the password wrong you say: “Login/Password Incorrect :(“, but if the username is wrong you say: “Username Not Found!”. That way a hacker can know if an username is correct, and half the job is done.
  • Better not use md5() for password encryption.
  • Use password_hash() for handling passwords.
  • Do not store the username in a cookie. Again, you’re leaking information.
  • Don’t use cookies, there’s just no need to do that, use sessions and store information on the server, not on the user’s machine.
  • You seem to have stored usernames as phone_number. So which one is it? It is either an username or a phone number, it cannot be both. Even if you use phone numbers as user names, call them what they are.
  • Sloppy coding: $errors = array(); is not used anywhere. You don’t check the result of new mysqli(), the connection might fail. Same is true for $mysqli->query().
  • You take care to close the database, but then why don’t you release the query result with $result->close();? Either do both, or none.

Security is a difficult topic, it’s really hard to get it right, and what might be good today, might be bad tomorrow.

Leave a Comment