dezkit Posted September 13, 2008 Share Posted September 13, 2008 I'm thinking about putting this code into my website, but i was wondering if anybody can tweak the code to make it 100% unhackable. <?php $host="localhost"; // Host name $username=""; // Mysql username $password=""; // Mysql password $db_name="test"; // Database name $tbl_name="members"; // Table name // Connect to server and select databse. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); // username and password sent from form $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; // To protect MySQL injection (more detail about MySQL injection) $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register $myusername, $mypassword and redirect to file "login_success.php" session_register("myusername"); session_register("mypassword"); header("location:login_success.php"); } else { echo "Wrong Username or Password"; } ?> Link to comment https://forums.phpfreaks.com/topic/124117-sql-injection/ Share on other sites More sharing options...
ratcateme Posted September 13, 2008 Share Posted September 13, 2008 why do you need to store the password in the session and i have read a few things that say the best way to store a pass is in MD5 hash so if someone can access your database they still can't get your passwords. and the best form of storage is to md5 them with a salt so even if they crack the hash they still don't know the pass. Scott. Link to comment https://forums.phpfreaks.com/topic/124117-sql-injection/#findComment-640786 Share on other sites More sharing options...
dezkit Posted September 14, 2008 Author Share Posted September 14, 2008 im not storing the password in the session, im storing "mypassword", the word. oh and how do i md5 hash? thanks scott Link to comment https://forums.phpfreaks.com/topic/124117-sql-injection/#findComment-640789 Share on other sites More sharing options...
tibberous Posted September 14, 2008 Share Posted September 14, 2008 ...so even if they crack the hash they still don't know the pass. The salts are to prevent hackers from using precompiled lookup tables against your database, and to a less extend to prevent them from creating their own. If you add a unique salt to each record records, it means that each password must be solved individually. Link to comment https://forums.phpfreaks.com/topic/124117-sql-injection/#findComment-640799 Share on other sites More sharing options...
ratcateme Posted September 14, 2008 Share Posted September 14, 2008 md5() Scott. Link to comment https://forums.phpfreaks.com/topic/124117-sql-injection/#findComment-640975 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.