Im investigating what methods exist to compromisse php/mysql made websites, and this is what im doing until now 1) using htmlentities (avoid XSS attacks) 2) magic_quotes_gpc is on (avoid sql injections) also for user authetication im using $user = $_POST["user"]; $pass = sha1($_POST["pass"]); $query = "SELECT * from users WHERE username='" . $user . "' AND password = '" . $pass . "'"; $result = mysql_query($query); $row = mysql_fetch_object($result); if ($row) { session_start(); $_SESSION["access"] = "granted"; $_SESSION["id"] = $row->id; header('Location: welcome.php'); } else { header('Location: login.html'); } the verification is then done in each page with session_start(); header("Cache-control: private"); if ($_SESSION["access"] == "granted") { echo "welcome registered user"; } else header('Location: login.html' ); so, is 1) and 2) enough to foil attacks? im i missing something here? i heard that even with magic_quotes_gpc on its still possible to do sql injection, however i couldnt find anything on google. Second question, (maybe a stupid one, i just want to be sure), are $_SESSION variables server side, that is, its not possible for a user to alter the value of this variable?
$query = "SELECT * from users WHERE username='" . $user . "' AND password = '" . $pass . "'"; Code (markup): try $query = "SELECT * from users WHERE username='" . mysql_real_escape_string($user) . "' AND password = '" . mysql_real_escape_string($pass) . "'"; Code (markup): for starters, that should help alot. while the session information is serverside, it is possible to change the cookie id session uses, but unlikey.