TekZen Posted March 15, 2010 Share Posted March 15, 2010 Hi, Meself and a friend are working on a site and we havent done any php before but for some strange reason we choose to do it in php, below is the login script I was hoping for some suggestions or feedback on how secure/ not secure it is against attack ? also what would be the best method for garding against a brute force attack ?(best way to limit login attempts) <?php session_start(); //------------------------------------------------------------------------ //connection to the database select table include('connect.php'); //----------------------------------------------------// //To Protect against Sql injection on mssql remove qoutes $login = @str_replace("'", "''", $_POST['login']); $password = @str_replace("'", "''", $_POST['password']); $password = md5($password); // To protect SQL injection Strip backslashes $login = @strip_tags($login); $login = @stripslashes($login); $password = @strip_tags($password); $password = @stripslashes($password); //------------------------------------------------------// //SQL query try{ @$query = "SELECT * "; @$query .= "FROM Customers "; @$query .= "WHERE Username = '$login' AND Password = '$password'"; //execute the SQL query and return records @$result = mssql_query($query); //display the results if($row = mssql_fetch_object($result)) { @$_SESSION['SESS_Participent_ID'] = $row->Memberz_ID; @$_SESSION['SESS_Business'] = $row->Businesses_ID; @$_SESSION['SESS_FIRST_NAME'] = $row->firstnamez; @$_SESSION['SESS_LAST_NAME'] = $row->lastnamez; //============================================================================ //============================================================================ @header("location: member-index.php"); } else { @header("location: login-failed.php"); } } catch(PDOException $e) {echo 'Login Failed. Please try again.';} ?> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.