Penaf Posted March 15, 2010 Share Posted March 15, 2010 Hello People, I'm not an expert programmer and I need all the help I can get to have this done the best way possible. I want to make the most secure possible login system and content submital to a mySQL database. I rely on a file I called motor.php to do all the work with the DB and here I needed seriously refactoring (I guess!) ... then I have a basic functions.php (from this file I only put here 1 function ... to get your opinion about it) and a connect.php So ... if you guys can help me ... thanks A LOT ! functions.php <?php function clean($string){ $string = addslashes($string); $string = strip_tags($string); $string = htmlspecialchars($string); $string = trim($string); return $string; } ?> connect.php <?php $host = "localhost"; // default $mysql_user = "XXX"; // mysql username $mysql_pass = "XXX"; // mysql password $mysql_db = "XXX"; //mysql database @mysql_connect($host,$mysql_user,$mysql_pass) or die("Could not connect to MySQL<br />".mysql_error()); @mysql_select_db($mysql_db) or die("Could not connect to MySQL database $db"); // Protecção contra SQL Injections para todas as variáveis POST e GET foreach ($_POST as $key => $value) { $_POST[$key] = mysql_real_escape_string($value); } foreach ($_GET as $key => $value) { $_GET[$key] = mysql_real_escape_string($value); } ?> motor.php ... help needed here ... I always feel something is missing! <?php ob_start(); require('connect.php'); include('functions.php'); $act = $_GET['act']; if ($act == "adduser") { $user=clean($_POST['user']); $pass=md5(clean($_POST['pass'])); $nome=clean($_POST['nome']); $sql="INSERT INTO users(user, pass, nome) VALUES('$user', '$pass', '$nome')"; $result=mysql_query($sql); if($result){ echo"Sucesso!"; echo"<meta http-equiv='refresh' content='3;url=utilizadores.php'>"; }else{ echo" Insucesso!"; } mysql_close(); } elseif ($act == "deluser") { $user=$_POST['user']; $sql="DELETE FROM users WHERE user='$user'"; $result=mysql_query($sql); if($result){ echo"Sucesso!"; echo"<meta http-equiv='refresh' content='3;url=utilizadores.php'>"; }else{ echo" Insucesso!"; } mysql_close(); } elseif (act == "loginerro" || $act == "logindel"){ setcookie("user", "erro", time()+3600); echo"<meta http-equiv='refresh' content='3;url=utilizadores.php'>"; } elseif ($act == "authuser") { $user = clean($_POST['user']); $pass = md5(clean($_POST['pass'])); $usercookie = $user; $sql = "SELECT * FROM `users` WHERE `user` = '$user' AND `pass` = '$pass' LIMIT 1"; $result = mysql_query($sql); if(!mysql_num_rows($result)){ echo "Nome de utilizador ou password errados!"; setcookie("user", erro, time()+3600); die(); }else{ echo "Login Válido"; setcookie("user", $usercookie, time()+3600); echo"<meta http-equiv='refresh' content='3;url=utilizadores.php'>"; $logdate = date("Y-m-d"); $logtime = date("h:i:s"); $logip = $REMOTE_ADDR; $loghost = $_SERVER['HTTP_HOST']; $logentrada = mysql_query("INSERT INTO logentrada (loguser, logdate, logtime, logip, loghost) VALUES ('$user', '$logdate', '$logtime', '$logip', '$loghost')"); if(!$logentrada) die ('Database error ($logentrada): ' .mysql_error()); mysql_close(); } }elseif ($act == "addcontent") { $titulo=$_POST['titulo']; $conteudo=$_POST['conteudo']; $tipo=$_POST['tipo']; $user=$_POST['autor']; $imagem=$_POST['imagem']; $data=$_POST['data']; $hora=$_POST['hora']; $sql="INSERT INTO content(titulo, conteudo, tipo, autor, imagem, data, hora) VALUES('$titulo', '$conteudo', '$tipo', '$user', '$imagem', '$data', '$hora')"; $result=mysql_query($sql); if($result){ echo"Sucesso!"; echo"<meta http-equiv='refresh' content='3;url=utilizadores.php'>"; }else{ echo" Insucesso!"; } mysql_close(); } elseif (empty($act)) { echo "Não há nada aqui para ver!"; } ob_flush() ?> Quote Link to comment Share on other sites More sharing options...
Wolphie Posted March 15, 2010 Share Posted March 15, 2010 <?php function sanitize($input) { if (magic_quotes_gpc()) { $input = stripslashes($input); } else { $input = strip_tags($input); $input = htmlspecialchars($input); $input = trim($input); } return mysql_real_escape_string($input); } ?> That's generally what I use to completely sanitise a string. Quote Link to comment Share on other sites More sharing options...
Penaf Posted March 15, 2010 Author Share Posted March 15, 2010 Seems nice Wolfie ... but is it better ? Quote Link to comment Share on other sites More sharing options...
Wolphie Posted March 15, 2010 Share Posted March 15, 2010 Yes, since with my code you're checking to see if magic_quotes_gpc() is enabled, and if so remove the slashes. I'm also using mysql_real_escape_string() to escape any possible malicious code. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.