Cory94bailly Posted May 17, 2008 Share Posted May 17, 2008 I just tested a script of mine and it let me enter characters that should not be allowed.. <?php //**********Start Member Login!**********\\ ob_start(); error_reporting(E_ALL); // Connects to your Database mysql_connect("***", "***", "***") or die(mysql_error()); mysql_select_db("***") or die(mysql_error()); //Checks if there is a login cookie if(isset($_COOKIE['ID_fcs_member'])) //if there is, it logs you in and directes you to the members page { $username = $_COOKIE['ID_fcs_member']; $pass = $_COOKIE['Key_fcs_member']; $check = mysql_query("SELECT * FROM members WHERE username = '$username'")or die(mysql_error()); while($info = mysql_fetch_array( $check )) { if ($pass != $info['password']) { } else { header("Location: ***"); } } } //if the login form is submitted if (isset($_POST['submit'])) { // if form has been submitted // makes sure they filled it in if(!$_POST['username'] | !$_POST['pass']) { die('You did not fill in a required field.'); } // checks it against the database if (!get_magic_quotes_gpc()) { $_POST['email'] = addslashes($_POST['email']); } $check = mysql_query("SELECT * FROM members WHERE username = '".$_POST['username']."'")or die(mysql_error()); //Gives error if user dosen't exist $check2 = mysql_num_rows($check); if ($check2 == 0) { die('That user does not exist in our database. <a href="register.php">Click Here to Register</a>'); } while($info = mysql_fetch_array( $check )) { $_POST['pass'] = stripslashes($_POST['pass']); $info['password'] = stripslashes($info['password']); $_POST['pass'] = md5($_POST['pass']); //gives error if the password is wrong if ($_POST['pass'] != $info['password']) { die('Incorrect password, please try again.'); } else { // if login is ok then we add a cookie $_POST['username'] = stripslashes($_POST['username']); $hour = time() + 3600; setcookie(ID_fcs_member, $_POST['username'], $hour); setcookie(Key_fcs_member, $_POST['pass'], $hour); //then redirect them to the members area header("Location: ***"); } } } else { //**********End Member Login!**********\\ ?> I heard that "mysql_real_escape_string" works but idk where to put it =/ Link to comment https://forums.phpfreaks.com/topic/106081-solved-how-can-i-make-this-more-secure/ Share on other sites More sharing options...
RichardRotterdam Posted May 17, 2008 Share Posted May 17, 2008 you place it around every posted variable since that could be the input of potention danger mysql_real_escape_string($_POST['username']) Link to comment https://forums.phpfreaks.com/topic/106081-solved-how-can-i-make-this-more-secure/#findComment-543706 Share on other sites More sharing options...
GingerRobot Posted May 17, 2008 Share Posted May 17, 2008 I wouldn't escape a username - use regex to make sure only certain characters are allowed. For example, to allow alphanumeric characters plus spaces and underscores and to set a minimum of 3 and a maximum of 20 characters, use: if(!preg_match('|^[a-z0-9 _]{3,20}$|i',$user)){ //username not ok - alert user and do not enter into database } There would then be no need to use mysql_real_escape_string() on this field. Link to comment https://forums.phpfreaks.com/topic/106081-solved-how-can-i-make-this-more-secure/#findComment-543768 Share on other sites More sharing options...
Cory94bailly Posted May 17, 2008 Author Share Posted May 17, 2008 I wouldn't escape a username - use regex to make sure only certain characters are allowed. For example, to allow alphanumeric characters plus spaces and underscores and to set a minimum of 3 and a maximum of 20 characters, use: if(!preg_match('|^[a-z0-9 _]{3,20}$|i',$user)){ //username not ok - alert user and do not enter into database } There would then be no need to use mysql_real_escape_string() on this field. Where do I put that? Link to comment https://forums.phpfreaks.com/topic/106081-solved-how-can-i-make-this-more-secure/#findComment-543824 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.