Cooper94 Posted January 26, 2009 Share Posted January 26, 2009 I know I have been asking loads of questions about security and I was just wanted to know if this looked security tight. I do know that nothing will ever be 100% but it would help if it was close! Thank You Code: <li><ul> <center><font color="red"> <?php if(isset($_POST['submit'])) { // username and password sent from form $password=$_POST['password']; $password1=$_POST['password1']; $name=$_POST['name']; // To protect MySQL injection (more detail about MySQL injection) $password = stripslashes($password); $password = mysql_real_escape_string($password); $password1 = stripslashes($password1); $password1 = mysql_real_escape_string($password1); $name = stripslashes($name); $name = mysql_real_escape_string($name); $hours=$_POST['hours']; $hours = stripslashes($hours); $hours = mysql_real_escape_string($hours); $enc = md5($password); if ($password!=$password1){ echo "Password Does Not Match"; } elseif ($name==""){ echo "Invalid Name"; } elseif ($hours > "100"){ echo "We Do Not Accept Hours Over 100"; } else{ $sql=mysql_query("INSERT INTO pilots (name, hours, password) VALUES ('$name','$hours','$enc')"); } } ?> </center></font> <form name="form1" method="post" action="http://www.republicv.org/site1/job.php?content=app"> <table width="531" height="552" border="0"> <tr> Personal Information: </tr> <tr> <td colspan="2"><div align="left">Name:</div></td> <td colspan="2"><label> <input name="name" type="text" id="name2" value=""> </label></td> <td width="53">Email:</td> <td width="215"><label> <input name="email" type="text" id="email" value=""> </label></td> </tr> <tr> <td width="48"> </td> <td width="56"> </td> <td colspan="2"> </td> <td> </td> <td> </td> </tr> <tr> <td colspan="2">Vatsim ID:</td> <td colspan="2"><label><input name="VATSIM_ID" type="text" id="VATSIM_ID" value=""></label></td> <td>Location:</td> <td><label> <select name="location"> <option value=Afghanistan>Afghanistan</option> (left out the rest) </select> </label></td> </tr> <tr> <td> </td> <td> </td> <td colspan="2"> </td> <td> </td> <td> </td> </tr> <tr> <td colspan="6" bgcolor="#ffffff">Virtual Airline Experiance:</td> </tr> <tr> <td colspan="2">VA Experiance:</td> <td width="1"><label></label></td> <td width="108"><select name="experience"> <option value="Yes">Yes</option> <option value="No">No</option> </select></td> <td>Hours:</td> <td><label> <input type="text" name="hours" /> </label></td> </tr> <tr> <td> </td> <td rowspan="3"> </td> <td colspan="2" rowspan="3"> </td> <td rowspan="3"> </td> <td rowspan="3"> </td> </tr> <tr> <td>Resume:</td> </tr> <tr> <td> </td> </tr> <tr> <td colspan="6"><label> <textarea name="info" cols="40" rows="10" id="info">Include prior Virtual airlines, Talents and why you decided to join the VA</textarea> </label> <p> </p></td> </tr> <tr> <td colspan="6" bgcolor="#ffffff">Republic Virtual Information:</td> </tr> <tr> <td height="39" colspan="2">Desired Hub:</td> <td colspan="4"><label> <select name="hub"> <option value="KPHL">Philadelphia International Airport</option> <option value="KDCA">Ronald Reagon National Airport</option> <option value="KIND">Indianapolis International Airport</option> <option value="KPIT">Pittsburgh International Airport</option> </select> </label></td> </tr> <tr> <td height="18" colspan="2">Desired Password:</td> <td colspan="4"><label> <input name="password" type="password" id="password" value=""> </label></td> </tr> <tr> <td height="18" colspan="2">Validate Password:</td> <td colspan="4"><label> <input name="password1" type="password" id="password" value=""> </label></td> </tr> <tr> <td height="18" colspan="2">Age:</td> <td colspan="4"><label> <select name="age"> <option value="Below 13">-13</option> <option value="Above 13">+13</option> </select> </label></td> </tr> <tr> <td height="20" colspan="2"> </td> <td colspan="4"> </td> </tr> <tr> <td height="20" colspan="2"> </td> <td colspan="4"><label> <input type="submit" name="submit" title="Submit" id="btnLogin" value="Login" class="button" /> </label></td> </tr> </table> </form> </li></ul> Link to comment https://forums.phpfreaks.com/topic/142528-security/ Share on other sites More sharing options...
premiso Posted January 26, 2009 Share Posted January 26, 2009 I would suggest against storing password in session. Also mysql_close is not needed. I would also set a unique variable like "loggedin" in the session and use that for verification purposes. If you want to use that in a more secure manner, set a hash to be logged in, maybe the time they logged in and their username, store that in the DB and reference it to verify they are logged in properly. I would also change your query to be this: $sql=mysql_query("SELECT name FROM pilots WHERE username='$username' and password='$enc' LIMIT 1"); Limit it by 1 so only that user is returned and since you are only using "name" from the db only return that data to save on processing time etc. Other than that I would say the security is decent. Better than most. Link to comment https://forums.phpfreaks.com/topic/142528-security/#findComment-746883 Share on other sites More sharing options...
MadTechie Posted January 26, 2009 Share Posted January 26, 2009 stripslashes() isn't needed unless you have magic quotes on.. if(get_magic_quotes_gpc()) { $password1 = stripslashes($password1); } ALSO remember no matter how secure the door is, its no good if you leave the window open! Link to comment https://forums.phpfreaks.com/topic/142528-security/#findComment-746888 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.