Jump to content

Help to safe admin panel


samowns

Recommended Posts

Hello guys am using mysql .  login admin panel works fine .but when i use password=1' or '1' = '1 its also working some one please help me i want to safe admin panel here is my code 

if(isset($_POST['sb']))
{

$result = mysql_query("SELECT * FROM admin WHERE eml='" . $_POST["eml"] . "' and pass= '". $_POST["pass"]."'");
$row  = mysql_fetch_array($result);
if(is_array($row)) {
$_SESSION["eml"] = $row['eml'];
hash($_SESSION["pass"] = $row['pass'];

} else {
$message = "<font color='#FF0000'>"."Invalid Username or Password!"."</font>";
}
}
if(isset($_SESSION["eml"])) {
header("Location:./useradmin.php");
}

Link to comment
Share on other sites

Firstly - you should be using either mysqli or PDO - mysql_query is outdated and should be your first thing to remove.

 

The main thing about SQL injection is to not directly put the user entered string into a SQL statement, both mysqli and PDO support bind variables.  This allow the statement to have a place holder and effectively the value is linked to the statement in such a way as to stop SQL injection attacks.

Link to comment
Share on other sites

I agree with Jacques1. You really need to put some time into learning better practices. This is all very basic stuff. But, I'll be very generous and point out some of the problems.

 

1. Do not use the mysql_ extensions. They are no longer supported. You should be using mysqli_ or, better yet, PDO for database operations.

 

2. You should be using prepared statements for your queries with placeholders for any variable values in the query. This will prevent SQL injection (such as you are having). NEVER put user entered data directly into a query

 

3. You appear to be storing the password as plain text. Could you please provide me a list of any websites that you work on now and in the future so I can be sure to never sign up on them? </sarcasm>. You need to store the password as a hash. Then at login, hash the user input password and compare it to the stored hash. Do not use a simple MD5() or other hash. Use the built in PHP functions [password_hash() and password_verify()] or a properly vetted framework such as phpass.

 

4. I don't even know what this line is supposed to do. It should produce an error and even if it didn't the intent is unclear. I think you are trying to store a session value related to the password. There is no good reason to do this.

hash($_SESSION["pass"] = $row['pass']; //<== Where's the closing paren???

5. The is_array() check is meaningless. An empty result set would still return an (empty) array. You shoudl instead check if there was a record returned,

 

Here is a resource to get you started on using the PDO extension and prepare queries: https://phpdelusions.net/pdo

Edited by Psycho
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.