Mortenjan Posted February 26, 2009 Share Posted February 26, 2009 Is this code safe, or is it easy to inject my database? <?php session_start(); $pw=mysql_real_escape_string($_POST['pw']); $username=mysql_real_escape_string($_POST['username']); $q="SELECT * from `admin` where username='".$username."' and pw='".$pw."'"; $result= mysql_query($q) or die ("Kunne ikke utføre spørringen : $q." . mysql_error()); if (mysql_num_rows($result) == 0) { echo ("<title>Feil</title><body bgcolor='black' text='red' alink='blue' vlink='blue' link='blue'> <center><br><br><br>Feil passord eller brukernavn!<br><br><a href='index.php'>Prøv igjen</a></center> "); } else{ $r=mysql_fetch_array($result); $_SESSION['login_username'] = $r["username"]; $_SESSION['login_forename'] = $r["forename"]; Header("Location: main.php"); } ?> Feedback is appreciated Regards Morten Quote Link to comment https://forums.phpfreaks.com/topic/147084-safe/ Share on other sites More sharing options...
The Little Guy Posted February 26, 2009 Share Posted February 26, 2009 It looks safe to me, since you are using mysql_real_escape_string Quote Link to comment https://forums.phpfreaks.com/topic/147084-safe/#findComment-772156 Share on other sites More sharing options...
Mortenjan Posted February 26, 2009 Author Share Posted February 26, 2009 Ok, great:) but what about this? Is this safe enough? session_start(); if($_SESSION['login_username']=="") { Header("Location: index.php"); } else{ Quote Link to comment https://forums.phpfreaks.com/topic/147084-safe/#findComment-772160 Share on other sites More sharing options...
The Little Guy Posted February 26, 2009 Share Posted February 26, 2009 I would do it more like this: session_start(); if(!isset($_SESSION['login_username'])) { header("Location: index.php"); exit; } You don't really even need that else statement. but, what I do to check for that is, I create a session variable and set it to true when the user logs in, then I check like this: session_start(); if(!$_SESSION['logged']) { header("Location: index.php"); exit; } Quote Link to comment https://forums.phpfreaks.com/topic/147084-safe/#findComment-772164 Share on other sites More sharing options...
samshel Posted February 26, 2009 Share Posted February 26, 2009 using sessions is safe...u can also try if(!isset($_SESSION['login_username']) || trim($_SESSION['login_username']) == "") Quote Link to comment https://forums.phpfreaks.com/topic/147084-safe/#findComment-772165 Share on other sites More sharing options...
Mortenjan Posted February 26, 2009 Author Share Posted February 26, 2009 Can you give me an example on how to set the session variable to true? I would do it more like this: session_start(); if(!isset($_SESSION['login_username'])) { header("Location: index.php"); exit; } You don't really even need that else statement. but, what I do to check for that is, I create a session variable and set it to true when the user logs in, then I check like this: session_start(); if(!$_SESSION['logged']) { header("Location: index.php"); exit; } Quote Link to comment https://forums.phpfreaks.com/topic/147084-safe/#findComment-772167 Share on other sites More sharing options...
The Little Guy Posted February 26, 2009 Share Posted February 26, 2009 On the page you set your sessions, do this for the last one: session_start(); $_SESSION['id'] = $row['id']; $_SESSION['first'] = $row['first']; $_SESSION['last'] = $row['last']; $_SESSION['email'] = $row['email']; // etc. etc. $_SESSION['logged'] = TRUE; header("Location: /userHome.php"); exit; Quote Link to comment https://forums.phpfreaks.com/topic/147084-safe/#findComment-772172 Share on other sites More sharing options...
Mortenjan Posted February 26, 2009 Author Share Posted February 26, 2009 Like this? signin.php <?php session_start(); $pw=mysql_real_escape_string($_POST['pw']); $username=mysql_real_escape_string($_POST['username']); $q="SELECT * from `admin` where username='".$username."' and pw='".$pw."'"; $result= mysql_query($q) or die ("Kunne ikke utføre spørringen : $q." . mysql_error()); if (mysql_num_rows($result) == 0) { echo ("<title>Feil</title><body bgcolor='black' text='red' alink='blue' vlink='blue' link='blue'> <center><br><br><br>Feil passord eller brukernavn!<br><br><a href='index.php'>Prøv igjen</a></center> "); } else{ $r=mysql_fetch_array($result); $_SESSION['login_id'] = $r['id']; $_SESSION['login_username'] = $r["username"]; $_SESSION['login_forename'] = $r["forename"]; $_SESSION['login_surname'] = $r["surname"]; $_SESSION['logged'] = TRUE; header ("Location: main.php"); } ?> validation.php <?php session_start(); if(!$_SESSION['logged']) { header("Location: index.php"); exit; } ?> Thank you for your help so far. Regards Morten Quote Link to comment https://forums.phpfreaks.com/topic/147084-safe/#findComment-772175 Share on other sites More sharing options...
The Little Guy Posted February 26, 2009 Share Posted February 26, 2009 That looks good to me! If you are logged in remember to log out before you test it Quote Link to comment https://forums.phpfreaks.com/topic/147084-safe/#findComment-772176 Share on other sites More sharing options...
Mortenjan Posted February 26, 2009 Author Share Posted February 26, 2009 That looks good to me! If you are logged in remember to log out before you test it You have probably looked up my previous posts, seen what page ive been working on, told me a "reeeally safe" code and deleted my whole database by tomorrow. : O Quote Link to comment https://forums.phpfreaks.com/topic/147084-safe/#findComment-772181 Share on other sites More sharing options...
Mortenjan Posted February 26, 2009 Author Share Posted February 26, 2009 That looks good to me! If you are logged in remember to log out before you test it Thanks for your help Quote Link to comment https://forums.phpfreaks.com/topic/147084-safe/#findComment-772182 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.