I need help! I'm in the process of building a small login system.. the only things that need to be entered at a username and password but I always fail when it comes to securing it up. What things should I do to aid with the securing of it? What things should I secure against? If anyone could post examples of good secure logins for me to educate myself from, I'd be extremely appreciative. Thanks!
One thing you can do is change over to using the mysqli function in php and using prepared statements to clean input but heres some basic cleaning for sql injections <?php $query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'", mysql_real_escape_string($user), mysql_real_escape_string($password)); mysql_query($query); ?> Code (markup):
Can anyone explain with simple example how the hackers can misuse the login system if we are not following these steps? atlantaazfinest, You mean "REPort Post" button?
Check this post here i guess it is in the QUESTION NUMBER 3.. maybe it will come useful, just to bear in mind...
store the users password using forward php encryption, sha1() and then md5(), upon checking if passwords match just forward ecrypt the posted string in the same way and run the query.
LOL... And example if you don't sanitize the input a hacker can do ' OR 1=1 ;-- Code (markup): what that will do is make the query look something like this password='' OR 1=1;-- (Makes the rest of the query a comment) and therefore 1 is equal to 1 so it will return an entry based on the other parameters they put in ex username giving them authentication.
Create a sessions table in your database and use a cookie to reference which session it is instead of keeping all info in a cookie.