PHP Security

[Patte12]

Hi.

 

I have a third-party application that needs to know if a login was succeed. I send the username and password to PHP and then

PHP checks in the MySQL to see if it exist, if it exist then i simple use this "die("L-S");" to let my third-party application know that the

login was succeed. Now my questions is, is this safe? Or is there another way of doing this. I'm worried that a person just could manipulate

the PHP file to "die("L-S");" or something.

[gristoi]

seeign as your php script is stored on the server, if someone has the ability the alter your script then this is the least of your worries.

[Christian F.]

Your biggest concern in this situation is SQL injections and HTML injections, as well as securely storing your users' passwords.

That's why I strongly recommend that you read this article about secure login systems, and preferably use the class (PHPpass) instead of trying to write your own code for this.

[xyph]

Is this all done locally? Why not simply skip the PHP middle-man?

[Christian F.]

Scratch my previous post, well.. Not completely, you still have to worry about SQL injections.

 

However, as xyph pointed out (and I didn't notice earlier) is that you should indeed skip the middle-man. Have your application check directly. Otherwise, what's to stop anyone from simply replacing the PHP script or manually inputting the correct string to fool the application?