Hi,
Meself and a friend are working on a site and we havent done any php before but for some strange reason we choose to do it in php, below is the login script I was hoping for some suggestions or feedback on how secure/ not secure it is against attack ?
also what would be the best method for garding against a brute force attack ?(best way to limit login attempts)
<?php
session_start();
//------------------------------------------------------------------------
//connection to the database select table
include('connect.php');
//----------------------------------------------------//
//To Protect against Sql injection on mssql remove qoutes
$login = @str_replace("'", "''", $_POST['login']);
$password = @str_replace("'", "''", $_POST['password']);
$password = md5($password);
// To protect SQL injection Strip backslashes
$login = @strip_tags($login);
$login = @stripslashes($login);
$password = @strip_tags($password);
$password = @stripslashes($password);
//------------------------------------------------------//
//SQL query
try{
@$query = "SELECT * ";
@$query .= "FROM Customers ";
@$query .= "WHERE Username = '$login' AND Password = '$password'";
//execute the SQL query and return records
@$result = mssql_query($query);
//display the results
if($row = mssql_fetch_object($result))
{
@$_SESSION['SESS_Participent_ID'] = $row->Memberz_ID;
@$_SESSION['SESS_Business'] = $row->Businesses_ID;
@$_SESSION['SESS_FIRST_NAME'] = $row->firstnamez;
@$_SESSION['SESS_LAST_NAME'] = $row->lastnamez;
//============================================================================
//============================================================================
@header("location: member-index.php");
}
else
{
@header("location: login-failed.php");
}
}
catch(PDOException $e)
{echo 'Login Failed. Please try again.';}
?>