Jump to content

sql injection

dezkit

By dezkit
in PHP Coding Help

 Share

Recommended Posts

dezkit Advanced Member

dezkit

Posted
Posted

I'm thinking about putting this code into my website, but i was wondering if anybody can tweak the code to make it 100% unhackable.

 

<?php
$host="localhost"; // Host name
$username=""; // Mysql username
$password=""; // Mysql password
$db_name="test"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>

 

Link to comment
Share on other sites
ratcateme Member

ratcateme

Posted
Posted

why do you need to store the password in the session and i have read a few things that say the best way to store a pass is in MD5 hash so if someone can access your database they still can't get your passwords.

and the best form of storage is to md5 them with a salt so even if they crack the hash they still don't know the pass.

 

Scott.

Link to comment
Share on other sites
tibberous Advanced Member

tibberous

Posted
Posted

...so even if they crack the hash they still don't know the pass.

 

The salts are to prevent hackers from using precompiled lookup tables against your database, and to a less extend to prevent them from creating their own. If you add a unique salt to each record records, it means that each password must be solved individually.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.