PHP Login Script?

I'm creating a small membership site. I've created a login script and was wondering if this is on it's way to becoming secure from common attacks and what else I could do to make it even more secure. No credit card details are stored on the system, that's being processed by a separate merchant.

Login.php

<?php
session_start();

$notifications = array();

if(!empty($_POST['login'])) {

    if(empty($_POST['email']) || empty($_POST['password'])) {
        $notifications[] = 'Login failed! Please provide a username and password.';
    }

    if(count($notifications) == 0) {
        try {
            $dbh = new PDO('mysql:dbname=lf_database;host=127.0.0.1', 'root', 'root');

            $sql = "SELECT email, verified FROM users WHERE email = :email AND password = :password";
            $sth = $dbh->prepare($sql);
            $sth->execute(array(
                ':email'    => $_POST['email'],
                ':password' => md5($_POST['password'])
            ));

            $result = $sth->fetch(PDO::FETCH_ASSOC);

            if($result) {
                // Set session details and redirect user to members page
                session_regenerate_id();
                $_SESSION['logged_in'] = true;
                $_SESSION['verified'] = $result['verified'];
                $_SESSION['created'] = time();
                $_SESSION['ua'] = md5($_SERVER['HTTP_USER_AGENT']) . 'fable3';

                header('Location: members.php');
            } else {
                $notifications[] = "Username or Password incorrect.";
            }
        } catch (PDOException $e) {
            echo 'We\'re having database issues at the moment. Don\'t worry, we\'re getting it sorted!';
        }
    }

} elseif(!empty($_POST['forgot_password'])) {
    // Not yet implemented
}

开发者_如何学C?>


<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Members Login</title>
<link rel="stylesheet" type="text/css" href="css/reset.css">
<!--[if IE]>
    <script src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script>
<![endif]-->
</head>

<body id="home">

<h1>Members Login</h1>

<?php if(count($notifications) > 0) : ?>
    <ul>
        <?php foreach($notifications as $notification) : ?>
            <li><?php print $notification ?></li>
        <?php endforeach; ?>
    </ul>
<?php endif; ?>

<form method="POST" action="">
    <fieldset>
        <legend>Login</legend>
        <input type="email" name="email" placeholder="Email Address" required>
        <input type="password" name="password" placeholder="Password" required>
        <input type="submit" name="login" value="Login">
    </fieldset>
</form>
<a href="#">Need Account? Sign Up</a>

<form method="POST" action="">
    <fieldset>
        <legend>Forgot Your Password?</legend>
        <input type="email" name="forgot_password_email" placeholder="Email Address" required>
        <input type="submit" name="forgot_password" value="Request New Password">
    </fieldset>
</form>

</body>
</html>

Members.php

<?php
session_start();

$verified = false;

// Is the user logged in?
if(!isset($_SESSION['logged_in'])) {
    session_destroy();
    header('Location: login.php');
}

// Is the previous session valid?
if ($_SESSION['ua'] != md5($_SERVER['HTTP_USER_AGENT']) . 'fable3') {
    session_destroy();
    header('Location: login.php');
}

// Is the user verified?
if(isset($_SESSION['verified'])) {
    if($_SESSION['verified']) {
        $verified = true;
    }
}

    // Expire session here after 2 hours (user will be watching a movie, no point expiring before hand)
?>
<h1>Logged In!</h1>

<h2>Debug:</h2>
<pre><?php print_r($_SESSION); ?></pre>

<a href="logout.php">Logout</a>

error_reporting(0) and just to be sure, turn register_globals off. And session_destroy() is not enough to "destroy" the session. You'd have to empty the $_SESSION superglobal using $_SESSION = array() and then unset the session cookie in the $_COOKIE superglobal.