Security Advice Please

[stackumhi]

I am trying to make my login form safe(er). Is this the correct way to do this?

 

My function:

 

function safedata($value){
   return mysql_real_escape_string(trim($value));
}

 

My login script:

 

<?php
$_SESSION['username'] = 0;

if(isset($_POST['username'])){
$username = safedata($_POST[username]);
$password= safedata($_POST[password]);
$password = sha1("$password");

$result = mysql_num_rows(mysql_query("SELECT * FROM ADMINS WHERE email='$username' AND password='$password'"));
if($result == 1){	

	$_SESSION['username'] = 1;
?>

<script> window.location="main.php";</script>

<?
}
else{
	echo '<strong style="color:Red">Login invalid! Please try again.</strong>';
}
}

?>

[stackumhi]

I guess since none of this information is being sent to the database it does not need to be cleaned?

 

Is the method sound for forms that DO send data to the DB?

[ozestretch]

I guess since none of this information is being sent to the database it does not need to be cleaned?

 

Even though it is not being inserted into the database, it is in the query itself... which is where an injection occurs!

 

Is a common mistake to think that, but must make sure it is always made safe® when using in the query.

 

What you have is safe.... and can do more to make it safe®, just depends where you want to draw the line.

 

function safedata($variable ){

$variable = htmlentities($variable, ENT_QUOTES);
     if (get_magic_quotes_gpc()) {
        $variable = stripslashes($variable); 
     }
  $variable = mysql_real_escape_string(trim($variable)); 
  $variable = strip_tags($variable); 
  $variable = str_replace("\r\n", "", $variable); 
return $variable;
}