genics Posted March 28, 2007 Share Posted March 28, 2007 hi folks, I've created a login/session script using a tutorial I dug out of somewhere. Anyway, here's my script: <?php session_start(); $errorMessage = ''; if (isset($_POST['username']) && isset($_POST['password'])) { include('dbconnect.php'); $username = $_POST['username']; $password = $_POST['password']; $sql = "SELECT user_id FROM auth_user WHERE user_id = '$username' AND user_password = '$password'"; $result = mysql_query($sql) or die('Query failed. ' . mysql_error()); if (mysql_num_rows($result) == 1) { // Start Session $_SESSION['logged_in'] = true; header('Location: index.php'); exit; } else { $errorMessage = 'Login Incorrect'; } include('dbdisconnect.php'); } ?> My table is a simple 2 column table: user_id | varchar | 10 | Primary Key user_password | varchar | 32 Is there anyway to make this any more secure? Or is this fine? Quote Link to comment https://forums.phpfreaks.com/topic/44705-solved-is-this-weak/ Share on other sites More sharing options...
cmgmyr Posted March 28, 2007 Share Posted March 28, 2007 You should probably also do something like this too: $safe_username = mysql_real_escape_string($_POST['username']); $safe_password = mysql_real_escape_string($_POST['password']); Quote Link to comment https://forums.phpfreaks.com/topic/44705-solved-is-this-weak/#findComment-217075 Share on other sites More sharing options...
genics Posted March 28, 2007 Author Share Posted March 28, 2007 Thanks for replying I'm not familiar with that, what does that exactly do? Also, what about encrypting the passwords in the database itself? Quote Link to comment https://forums.phpfreaks.com/topic/44705-solved-is-this-weak/#findComment-217082 Share on other sites More sharing options...
cmgmyr Posted March 28, 2007 Share Posted March 28, 2007 it cuts down on SQL injection attaks to your DB. You should also use MD5 encryption for your passwords in your database. $md5_pass = md5($password); Quote Link to comment https://forums.phpfreaks.com/topic/44705-solved-is-this-weak/#findComment-217101 Share on other sites More sharing options...
genics Posted March 29, 2007 Author Share Posted March 29, 2007 Cool, I'll go with md5. How would I use the anti-injection script? Quote Link to comment https://forums.phpfreaks.com/topic/44705-solved-is-this-weak/#findComment-217514 Share on other sites More sharing options...
cmgmyr Posted March 29, 2007 Share Posted March 29, 2007 Just do what I did with mysql_real_escape_string Quote Link to comment https://forums.phpfreaks.com/topic/44705-solved-is-this-weak/#findComment-217660 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.