samowns Posted March 16, 2017 Share Posted March 16, 2017 Hello guys am using mysql . login admin panel works fine .but when i use password=1' or '1' = '1 its also working some one please help me i want to safe admin panel here is my code if(isset($_POST['sb'])) { $result = mysql_query("SELECT * FROM admin WHERE eml='" . $_POST["eml"] . "' and pass= '". $_POST["pass"]."'"); $row = mysql_fetch_array($result); if(is_array($row)) { $_SESSION["eml"] = $row['eml']; hash($_SESSION["pass"] = $row['pass']; } else { $message = "<font color='#FF0000'>"."Invalid Username or Password!"."</font>"; } } if(isset($_SESSION["eml"])) { header("Location:./useradmin.php"); } Quote Link to comment Share on other sites More sharing options...
NigelRel3 Posted March 16, 2017 Share Posted March 16, 2017 Firstly - you should be using either mysqli or PDO - mysql_query is outdated and should be your first thing to remove. The main thing about SQL injection is to not directly put the user entered string into a SQL statement, both mysqli and PDO support bind variables. This allow the statement to have a place holder and effectively the value is linked to the statement in such a way as to stop SQL injection attacks. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted March 16, 2017 Share Posted March 16, 2017 Before you implement admin panels, I suggest you learn PHP. Almost every line of the code you've shown is insecure, outdated or plain wrong. You've actually been told all that back in 2015. And you still haven't improved the code one bit. This makes me wonder how seriously you take your project. Quote Link to comment Share on other sites More sharing options...
Psycho Posted March 16, 2017 Share Posted March 16, 2017 (edited) I agree with Jacques1. You really need to put some time into learning better practices. This is all very basic stuff. But, I'll be very generous and point out some of the problems. 1. Do not use the mysql_ extensions. They are no longer supported. You should be using mysqli_ or, better yet, PDO for database operations. 2. You should be using prepared statements for your queries with placeholders for any variable values in the query. This will prevent SQL injection (such as you are having). NEVER put user entered data directly into a query 3. You appear to be storing the password as plain text. Could you please provide me a list of any websites that you work on now and in the future so I can be sure to never sign up on them? </sarcasm>. You need to store the password as a hash. Then at login, hash the user input password and compare it to the stored hash. Do not use a simple MD5() or other hash. Use the built in PHP functions [password_hash() and password_verify()] or a properly vetted framework such as phpass. 4. I don't even know what this line is supposed to do. It should produce an error and even if it didn't the intent is unclear. I think you are trying to store a session value related to the password. There is no good reason to do this. hash($_SESSION["pass"] = $row['pass']; //<== Where's the closing paren??? 5. The is_array() check is meaningless. An empty result set would still return an (empty) array. You shoudl instead check if there was a record returned, Here is a resource to get you started on using the PDO extension and prepare queries: https://phpdelusions.net/pdo Edited March 16, 2017 by Psycho Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.