1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

I'm going to log my users' login attempts. Is this the safe way to do it?

Discussion in 'PHP' started by x0x, Feb 20, 2009.

  1. #1
    So I want to log the login attempts.

    I created the table with the necessary fields (mostly TEXT fields).

    and added a simple query to my index page:

    $DB->query("INSERT INTO logins (username,password,ip) VALUES ('$username','$password','$senderip')", __FILE__, __LINE__);
    PHP:

    Is that a safe way to log them? I just want to be sure...
     
    x0x, Feb 20, 2009 IP
  2. Rory M

    Rory M Peon

    Messages:
    1,020
    Likes Received:
    37
    Best Answers:
    0
    Trophy Points:
    0
    #2
    You should escape the values first using

    
    $string = mysql_real_escape_string($string);
    
    PHP:
    And should really do this for ALL data sent to the database to prevent SQL injections.
     
    Rory M, Feb 20, 2009 IP
  3. x0x

    x0x Well-Known Member

    Messages:
    510
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    110
    #3
    Doesn't this do the trick (I already have this included in all the files)

    if (count($HTTP_GET_VARS) > 0) {foreach ($_GET as $name => $value) { if(is_array($value)){ ${$name} = $value; }else{ ${$name} = htmlentities($value,ENT_QUOTES,"ISO-8859-15");} } }
    
    if (count($HTTP_POST_VARS) > 0) {foreach ($_POST as $name => $value) { if(is_array($value)){ ${$name} = $value; }else{ ${$name} = htmlentities($value,ENT_QUOTES,"ISO-8859-15");} } }
    
    if (count($HTTP_COOKIE_VARS) > 0) {foreach ($_COOKIE as $name => $value) { if(is_array($value)){ ${$name} = $value; }else{ ${$name} = htmlentities($value,ENT_QUOTES,"ISO-8859-15");} } }
    PHP:
    also, found another function in my script:
    
    function textfix($text = ""){
    if(!is_array($text)){ $text = htmlentities($text,ENT_QUOTES,"UTF-8"); }
    return $text;
    }
    
    PHP:
    the posted username and password are run through it. So I'm good to go without any other tricks?

    edit 3: I tried to take off the textfix function and it logged me in with this password: ' OR ''='

    pretty creepy... I am waiting for confirmation that the textfix function secures my site..
     
    x0x, Feb 20, 2009 IP
  4. Danltn

    Danltn Well-Known Member

    Messages:
    679
    Likes Received:
    36
    Best Answers:
    0
    Trophy Points:
    120
    #4
    All that just weakens your site.

    You're effectively enabling register globals (albeit via a PHP-executed method.)

    Read about it here: http://php.net/register_globals
     
    Danltn, Feb 21, 2009 IP