So I want to log the login attempts. I created the table with the necessary fields (mostly TEXT fields). and added a simple query to my index page: $DB->query("INSERT INTO logins (username,password,ip) VALUES ('$username','$password','$senderip')", __FILE__, __LINE__); PHP: Is that a safe way to log them? I just want to be sure...
You should escape the values first using $string = mysql_real_escape_string($string); PHP: And should really do this for ALL data sent to the database to prevent SQL injections.
Doesn't this do the trick (I already have this included in all the files) if (count($HTTP_GET_VARS) > 0) {foreach ($_GET as $name => $value) { if(is_array($value)){ ${$name} = $value; }else{ ${$name} = htmlentities($value,ENT_QUOTES,"ISO-8859-15");} } } if (count($HTTP_POST_VARS) > 0) {foreach ($_POST as $name => $value) { if(is_array($value)){ ${$name} = $value; }else{ ${$name} = htmlentities($value,ENT_QUOTES,"ISO-8859-15");} } } if (count($HTTP_COOKIE_VARS) > 0) {foreach ($_COOKIE as $name => $value) { if(is_array($value)){ ${$name} = $value; }else{ ${$name} = htmlentities($value,ENT_QUOTES,"ISO-8859-15");} } } PHP: also, found another function in my script: function textfix($text = ""){ if(!is_array($text)){ $text = htmlentities($text,ENT_QUOTES,"UTF-8"); } return $text; } PHP: the posted username and password are run through it. So I'm good to go without any other tricks? edit 3: I tried to take off the textfix function and it logged me in with this password: ' OR ''=' pretty creepy... I am waiting for confirmation that the textfix function secures my site..
All that just weakens your site. You're effectively enabling register globals (albeit via a PHP-executed method.) Read about it here: http://php.net/register_globals