how to secure login form

[priyanka]

Hi,

 

 

I am using following code in login form:

<td><input type="hidden" name="txtURL" value="<?=$_GET['url']?>"><input name="submit" type="submit" value="Submit" class="button" /> <input id="reset" name="reset" type="reset" value="Reset" class="button" /></td>

 

but a coding checker software says that it has security issues in <?=$_GET

 

I have one more form for login check, there i wrote

 

if(!isset($result['evoId'])){
        header('Location: login.php?action=invalid');

 

Software gives error in "IF"

 

and i used this in logi chk

if($txtURL=='reverse'){
                header('Location: ABC=');
            }else{
                header('Location: index.php');

 

It gives error in "if($tx"

 

please help and suggest

 

Priyanka

[Rifts]

You need to sanitize $_GET['url'] because it might contain malicious code.

 

You could do something like this

 

function clean_data($input) {
    $input = trim(htmlentities(strip_tags($input,",")));
 
    if (get_magic_quotes_gpc())
        $input = stripslashes($input);
 
    $input = mysql_real_escape_string($input);
 
    return $input;
}

then you could do this
 

<input type="hidden" name="txtURL" value="<?=clean_data($_GET['url'])?>">

[priyanka]

Hi Riftz, thanks for the reply. Is it possible for you to suggest some php programmer as I need to get fix some more and similar type of issues?

[alpine]

I would recomend cleaning all data after the form is submitted, not before.

if(isset($_POST['submit'])){

  foreach($_POST as $k => $v){
     ${$k} = some_safeclean_function($v);
  }

  // input name 'myinput' is now clean as $myinput along with all the other posted inputs

}

Edited October 24, 2013 by alpine