Hi everyone and thank you for reading this. I am new to php and i am just starting to understand it a little but i am a little stuck on how to prevent any type of injections into the login form to prevent people from hacking my website. I know that you can use .safe() mysql_real_escape_string but how do i implement this into my coding as i have gone onto php.net and scoured the internet for examples which would come close to my coding but unfortunately i can not see any examples. Can someone please help me, my coding is: $name=$_POST["name"]; $pass=$_POST["pass"]; $query="SELECT * FROM admin WHERE username='".$name."' AND password='".base64_encode($pass)."'"; $result=mysql_query($query,$db); $row=mysql_fetch_array($result); $numrow=mysql_num_rows($result); if($numrow !=''){ $ADMIN_USERNAME=$row["username"]; $ADMIN_PASSWORD=$row["password"]; $ADMIN_ID=$row["id"]; $_SESSION['islogin'] = "yes"; // set booking admin panel vars $_SESSION['idUser']= $ADMIN_ID; $_SESSION['username']= $ADMIN_USERNAME; $_SESSION['accesslevel']= 1899; $_SESSION['logged_in'] = true; // end booking vars setcookie("UsErOfAdMiN",$name); header("Location:dsktpmain.php"); }else{ header("Location:index.php?pas=1"); PHP: Thanks
On a login form I wouldn't worry about injections, because its just checking information, however to avoid someone trying to hack passwords, you could do something like this: http://www.webcheatsheet.com/PHP/blocking_system_access.php
Hi , you just have to update your SQL statement like this : $query="SELECT * FROM admin WHERE username='".addslashes($name)."' AND password='".base64_encode($pass)."'"; But i think you have to add addslashes() on your full site SQL calls , as don't know which page they are hacking into. Thanks
The PHP manual discusses SQL injection, and ways to combat it. http://php.net/manual/en/security.database.sql-injection.php
Don't store passwords using base64. It is not encryption. You should use a 1 way hashing mechanism like MD5 or SHA1 in addition to a salt. Here's a quick overview of how to properly store and authenticate a user - http://www.bucabay.com/web-development/secure-password-hashing-storage-ph/ Next, you need to use mysql_real_escape_string and not addslashes to protect from injections. You should apply this to any user input. $query="SELECT * FROM admin WHERE username='".mysql_real_escape_string($name)."' AND password='".SHA1($pass)."'"; PHP:
mysql_real_escape_string, it is built for this kind of issues.. $name=mysql_real_escape_stri$_POST["name"]; $pass=base64_encode($_POST["pass"]); PHP:
your all making a bunch of amateur mistakes! obviously the OP doesn't know if MQ is on or not! if(get_magic_quotes_gpc()) { $name = mysql_real_escape_string(stripslashes($_POST['name'])); } else { $name = mysql_real_escape_string($_POST['name']); } PHP: Yes, magic quotes is annoying lol everyone hates them, which is why thankfully php is removing them! Yay! also @ op, i have no idea what your trying to do with your, "login" lol from the looks of it, i could just add a cookie called, UsErOfAdMiN, and give it a value of, "admin", and just jack your session. for sessions, i simply store a timestamp in a cookie, and then store the ipaddress and/or host address in the database along with the timestamp. it's simple and it works.
You want to use a database abstraction layer that supports prepared statements. With prepared statements, SQL injection is not possible. Since most databases at this point have supported prepared statements (including MySQL and PostgreSQL) for some time, there is no reason to not use them. While you do not need to use a database abstraction layer to use prepared statements, a database abstraction layer makes it easy to switch database backends in the future. I like MDB2 (from php pear) but there are lot of them with different strengths and weaknesses.
My new favorite is PDO. Think it comes with PHP 5.1+, and it's just awesome. Also, as another user said, get rid of that base64. SHA1 with some unique salt would be good, bcrypt would be better. Check out the "Portable PHP password hashing framework" for an easy way to do this. It will cost you some CPU cycles, but your users will be grateful if your database is ever compromised.
I use SHA1 with a salt that includes the user name, IE $hash=sha1($salt . strtolower($username) . $pass); By using the username as part of the salt, if 20 users all have the same username, they still have different hashes. This is important because if the hash column is somehow stolen, the cracker can't just try the most common passwords on the users that all have common hashes.