nitiphone2021 Posted February 8, 2021 Share Posted February 8, 2021 I created a login form for my system and I don't sure that it's enought for security to protect my website? include("database.php"); session_start(); if($_SERVER["REQUEST_METHOD"] == "POST") { // username and password sent from form $stmt = $conn->prepare("SELECT Sale_ID FROM tb_sales WHERE Login_Name = ? AND Login_Password = ? LIMIT 1"); $stmt->bind_param("ss", $_POST['username'], $_POST['password']); $stmt->execute(); $res = $stmt->get_result(); $count = mysqli_num_rows($res); if($count == 1) { // session_register("myusername"); $_SESSION['login_user'] = $_POST['username']; echo "Login Succcess"; //header("location: index.php"); }else { echo "Your Login Name or Password is invalid"; } } Quote Link to comment https://forums.phpfreaks.com/topic/312111-php-login-form-code-is-ok/ Share on other sites More sharing options...
requinix Posted February 8, 2021 Share Posted February 8, 2021 1. $_POST data can't be trusted, not just inside of SQL queries but also inside of $_SESSION. 2. You are not using remotely acceptable password practices. Learn about password hashing using and password_hash() and password_verify(). 1 Quote Link to comment https://forums.phpfreaks.com/topic/312111-php-login-form-code-is-ok/#findComment-1584316 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.