The form: 

<form action='login.php' method='post'> <input type='email' name='email'><br> <input type='password' name='pass'><br> <input type='submit'><br> </form>
Folder with data from accounts: ../../acc/$id/info/
Main code:
http://pastebin.com/3pQ1tKAg

Note:
Always displays "ok".

The essence of authorization:
Loops opens files with passwords and logins and checks if they match the input.

  • Comments are not intended for extended discussion; conversation moved to chat . - Nick Volynkin

1 answer 1

Never do it in real projects.

Your code can be altered like this. Initially, the user is not authorized, $success = FALSE; . If there are cookies, and the cookies are not fake, a hash is also provided, which cannot be calculated without knowing the secret “salt” known only to the server — the user is authorized.

Further, if there is no cookie, but there is a POST request with email and pass, we look for a match of email in the file cloud, and a hash of the transmitted password with the hash stored in the dat files. Store not the password itself, but md5( $pass . $salt) . This is in the simplest form.

If found, set $success = TRUE . After all these dances we see what is in $success , and we show this or that.

 <?php $success = FALSE; $salt = '7v#eLVVBjiT8Ma7rA'; // здесь ваша сверхсекретная строка // на её неизвестности другим держится вся «безопасность» if( isset($_COOKIE['id'], $_COOKIE['hash'])) { if( md5( $_COOKIE['id'] . $salt) === $_COOKIE['hash']) { $success = TRUE; } else { // тревога! Волк унёс зайчат! die('Вы, наверное, кул хакер?'); } } else if( isset( $_POST['email'], $_POST['pass'])) { $email = $_POST['email']; $pass = $_POST['pass']; $count_id = file_get_contents('../register/count_id.dat'); for($i=1; $i<$count_id; $i++) { $id = "id".$i; $email_acc = file_get_contents("../../acc/$id/info/email.dat"); $pass_acc = file_get_contents("../../acc/$id/info/pass.dat"); $nickname_acc = file_get_contents("../../acc/$id/info/nickname.dat"); if( $email === $email_acc && md5($pass . $salt) === $pass_acc) { setcookie("id", $id, time() + 99999999, "/"); setcookie("hash", md5($id . $salt), time() + 99999999, "/"); setcookie("nickname", $nickname_acc, time() + 99999999, "/"); $success = TRUE; break; // дальше крутить цикл не нужно } } } if( $success) { echo "ok"; //echo "Ви вже авторизовані"; } else { echo <<<EOFHTML <script type="text/javascript"> setTimeout(function(){$(".nopass").fadeOut("fast")},10000); </script> <div class="nopass"> <h4>Неправильний логін або пароль!</h4> </div> EOFHTML; }

Something ready for authorization - take some non-heavy framework, or a ready-made component, for example , on github .

  • plus, if only because it makes you think and google a little - strangeqargo 9:26 pm
  • Error does not display, but when you enter the correct data, you still write the wrong password - BedOmar
  • You re-create files with passwords so that there is not the password itself, but its hash? - Sergiks