Mortenjan Posted February 26, 2009 Share Posted February 26, 2009 Is this code safe, or is it easy to inject my database? <?php session_start(); $pw=mysql_real_escape_string($_POST['pw']); $username=mysql_real_escape_string($_POST['username']); $q="SELECT * from `admin` where username='".$username."' and pw='".$pw."'"; $result= mysql_query($q) or die ("Kunne ikke utføre spørringen : $q." . mysql_error()); if (mysql_num_rows($result) == 0) { echo ("<title>Feil</title><body bgcolor='black' text='red' alink='blue' vlink='blue' link='blue'> <center><br><br><br>Feil passord eller brukernavn!<br><br><a href='index.php'>Prøv igjen</a></center> "); } else{ $r=mysql_fetch_array($result); $_SESSION['login_username'] = $r["username"]; $_SESSION['login_forename'] = $r["forename"]; Header("Location: main.php"); } ?> Feedback is appreciated Regards Morten Link to comment https://forums.phpfreaks.com/topic/147084-safe/ Share on other sites More sharing options...
The Little Guy Posted February 26, 2009 Share Posted February 26, 2009 It looks safe to me, since you are using mysql_real_escape_string Link to comment https://forums.phpfreaks.com/topic/147084-safe/#findComment-772156 Share on other sites More sharing options...
Mortenjan Posted February 26, 2009 Author Share Posted February 26, 2009 Ok, great:) but what about this? Is this safe enough? session_start(); if($_SESSION['login_username']=="") { Header("Location: index.php"); } else{ Link to comment https://forums.phpfreaks.com/topic/147084-safe/#findComment-772160 Share on other sites More sharing options...
The Little Guy Posted February 26, 2009 Share Posted February 26, 2009 I would do it more like this: session_start(); if(!isset($_SESSION['login_username'])) { header("Location: index.php"); exit; } You don't really even need that else statement. but, what I do to check for that is, I create a session variable and set it to true when the user logs in, then I check like this: session_start(); if(!$_SESSION['logged']) { header("Location: index.php"); exit; } Link to comment https://forums.phpfreaks.com/topic/147084-safe/#findComment-772164 Share on other sites More sharing options...
samshel Posted February 26, 2009 Share Posted February 26, 2009 using sessions is safe...u can also try if(!isset($_SESSION['login_username']) || trim($_SESSION['login_username']) == "") Link to comment https://forums.phpfreaks.com/topic/147084-safe/#findComment-772165 Share on other sites More sharing options...
Mortenjan Posted February 26, 2009 Author Share Posted February 26, 2009 Can you give me an example on how to set the session variable to true? I would do it more like this: session_start(); if(!isset($_SESSION['login_username'])) { header("Location: index.php"); exit; } You don't really even need that else statement. but, what I do to check for that is, I create a session variable and set it to true when the user logs in, then I check like this: session_start(); if(!$_SESSION['logged']) { header("Location: index.php"); exit; } Link to comment https://forums.phpfreaks.com/topic/147084-safe/#findComment-772167 Share on other sites More sharing options...
The Little Guy Posted February 26, 2009 Share Posted February 26, 2009 On the page you set your sessions, do this for the last one: session_start(); $_SESSION['id'] = $row['id']; $_SESSION['first'] = $row['first']; $_SESSION['last'] = $row['last']; $_SESSION['email'] = $row['email']; // etc. etc. $_SESSION['logged'] = TRUE; header("Location: /userHome.php"); exit; Link to comment https://forums.phpfreaks.com/topic/147084-safe/#findComment-772172 Share on other sites More sharing options...
Mortenjan Posted February 26, 2009 Author Share Posted February 26, 2009 Like this? signin.php <?php session_start(); $pw=mysql_real_escape_string($_POST['pw']); $username=mysql_real_escape_string($_POST['username']); $q="SELECT * from `admin` where username='".$username."' and pw='".$pw."'"; $result= mysql_query($q) or die ("Kunne ikke utføre spørringen : $q." . mysql_error()); if (mysql_num_rows($result) == 0) { echo ("<title>Feil</title><body bgcolor='black' text='red' alink='blue' vlink='blue' link='blue'> <center><br><br><br>Feil passord eller brukernavn!<br><br><a href='index.php'>Prøv igjen</a></center> "); } else{ $r=mysql_fetch_array($result); $_SESSION['login_id'] = $r['id']; $_SESSION['login_username'] = $r["username"]; $_SESSION['login_forename'] = $r["forename"]; $_SESSION['login_surname'] = $r["surname"]; $_SESSION['logged'] = TRUE; header ("Location: main.php"); } ?> validation.php <?php session_start(); if(!$_SESSION['logged']) { header("Location: index.php"); exit; } ?> Thank you for your help so far. Regards Morten Link to comment https://forums.phpfreaks.com/topic/147084-safe/#findComment-772175 Share on other sites More sharing options...
The Little Guy Posted February 26, 2009 Share Posted February 26, 2009 That looks good to me! If you are logged in remember to log out before you test it Link to comment https://forums.phpfreaks.com/topic/147084-safe/#findComment-772176 Share on other sites More sharing options...
Mortenjan Posted February 26, 2009 Author Share Posted February 26, 2009 That looks good to me! If you are logged in remember to log out before you test it You have probably looked up my previous posts, seen what page ive been working on, told me a "reeeally safe" code and deleted my whole database by tomorrow. : O Link to comment https://forums.phpfreaks.com/topic/147084-safe/#findComment-772181 Share on other sites More sharing options...
Mortenjan Posted February 26, 2009 Author Share Posted February 26, 2009 That looks good to me! If you are logged in remember to log out before you test it Thanks for your help Link to comment https://forums.phpfreaks.com/topic/147084-safe/#findComment-772182 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.