[Solved] How Secure Is This Login System? (Using Cookies In PHP)

Question

Here’s a non-exhaustive list of problems/solutions:

Your code is difficult to read because it is not properly indented.
You should use prepared statemens to guard against SQL-injection.
You give hints to hackers by having different error messages. When the username is correct and the password wrong you say: “Login/Password Incorrect :(“, but if the username is wrong you say: “Username Not Found!”. That way a hacker can know if an username is correct, and half the job is done.
Better not use md5() for password encryption.
Use password_hash() for handling passwords.
Do not store the username in a cookie. Again, you’re leaking information.
Don’t use cookies, there’s just no need to do that, use sessions and store information on the server, not on the user’s machine.
You seem to have stored usernames as phone_number. So which one is it? It is either an username or a phone number, it cannot be both. Even if you use phone numbers as user names, call them what they are.
Sloppy coding: $errors = array(); is not used anywhere. You don’t check the result of new mysqli(), the connection might fail. Same is true for $mysqli->query().
You take care to close the database, but then why don’t you release the query result with $result->close();? Either do both, or none.

Security is a difficult topic, it’s really hard to get it right, and what might be good today, might be bad tomorrow.

Accepted Answer

Here’s a non-exhaustive list of problems/solutions:

Your code is difficult to read because it is not properly indented.
You should use prepared statemens to guard against SQL-injection.
You give hints to hackers by having different error messages. When the username is correct and the password wrong you say: “Login/Password Incorrect :(“, but if the username is wrong you say: “Username Not Found!”. That way a hacker can know if an username is correct, and half the job is done.
Better not use md5() for password encryption.
Use password_hash() for handling passwords.
Do not store the username in a cookie. Again, you’re leaking information.
Don’t use cookies, there’s just no need to do that, use sessions and store information on the server, not on the user’s machine.
You seem to have stored usernames as phone_number. So which one is it? It is either an username or a phone number, it cannot be both. Even if you use phone numbers as user names, call them what they are.
Sloppy coding: $errors = array(); is not used anywhere. You don’t check the result of new mysqli(), the connection might fail. Same is true for $mysqli->query().
You take care to close the database, but then why don’t you release the query result with $result->close();? Either do both, or none.

Security is a difficult topic, it’s really hard to get it right, and what might be good today, might be bad tomorrow.