I'm still learning PHP, so bear with me...
I have a login system here, and I would like any input on what I need to update to make this more secure.
I've been reading a lot of information about how I need to prevent SQL injection and XSS attacks, but I have yet to see some real-world examples on how to accomplish that.
the "dbcfg.php" file is my database config file - it defines the DSN, DBUSER, and DBPASS.
<?php
require_once ("dbcfg.php");
//Retrieve the EMAIL and PASSWORD entries from the user via POST
$email = filter_var($_POST["email"], FILTER_VALIDATE_EMAIL);
$password = htmlspecialchars($_POST["password"]);
//Create an empty ERRORS array
$err = array();
//If the EMAIL variable is null or empty then throw an error
if (!isset($email) || strlen($email) == 0 || $email == null) {
array_push($err, " - 'Email Address' cannot be empty.");
}
//If the PASSWORD variable is null or empty then throw an error
if (!isset($password) || strlen($password) == 0 || $password == null) {
array_push($err, " - 'Password' cannot be empty.");
}
//If the array has values, then return the errors back to the user
if (sizeof($err) > 0) {
echo implode("<br>", $err);
}
//Else - TRY to check the user's credentials with what is in the database
else {
try {
$pdo = new PDO(DSN,DBUSER,DBPASS);
$sql = "SELECT ID, FNAME, LNAME, EMAIL, PWORD FROM users WHERE (EMAIL=:email AND IS_INACTIVE = 0) LIMIT 0, 1;";
$stmt = $pdo->prepare($sql);
$stmt->execute([":email" => $email]);
$results = $stmt->fetchAll(PDO::FETCH_ASSOC);
if (sizeof($results) > 0) {
$obj = $results[0];
if (password_verify($password, $obj["PWORD"])) {
session_start();
$_SESSION['user_id'] = $obj["ID"];
$_SESSION['user_firstname'] = $obj["FNAME"];
$_SESSION['user_lastname'] = $obj["LNAME"];
$_SESSION['user_email'] = $email;
echo "success";
}
else {
echo "Invalid username and/or password";
}
}
else {
echo "Invalid username and/or password";
}
} catch (PDOException $e) {
echo $e->getMessage();
die("Could not connect to the database:" . $e->getMessage());
}
}
?>