aeonsky Posted June 12, 2008 Share Posted June 12, 2008 I keep trying to secure the log-in form with mysql escape, but it doesn't work for some reason. Can you please tell me how to properly secure this form against SQL Injections, here is the authorization code: $action = $_REQUEST['action']; $userform = $_REQUEST['userform']; $passform = $_REQUEST['passform']; if ($_SESSION['login'] != "yes" && $action == "check") { $dbhost = 'localhost'; $dbuser = 'xxx'; $dbpass = 'xxx'; $dbname = 'xxx'; $conn = mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql!'); mysql_select_db($dbname, $conn); $result = mysql_query("SELECT * FROM user WHERE username='$userform'"); $row = mysql_fetch_array($result); if($row['username'] == "") {echo "Wrong username!", die;}; $hash = md5(md5($passform).$row['salt']); if ($hash != $row['password']) {echo "Wrong password!"; die;}; $_SESSION['login'] = "yes"; $_SESSION['user'] = $row['username']; mysql_close(); header('Location: index.php');}; Thank you! Link to comment https://forums.phpfreaks.com/topic/109985-how-to-secure-log-in-form/ Share on other sites More sharing options...
pquery Posted June 12, 2008 Share Posted June 12, 2008 stripslashes and stripspaces from your userform and passform Link to comment https://forums.phpfreaks.com/topic/109985-how-to-secure-log-in-form/#findComment-564383 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.