Jump to content

newbie: sql injection question - is this script secure?

chelnov63

By chelnov63
in PHP Coding Help

 Share

Recommended Posts

chelnov63 Member

chelnov63

Posted
Posted

hi guys... how secure is this login script from sql injection...is there anyway i can make it more secure? thanks... my host has php4.3

 

<?php

//THIS FILES CHECKS WHETHER THE USER CAN LOG IN OR NOT


require_once("dbDetails.php");

$email = mysql_real_escape_string($_POST["email"]);
$password = mysql_real_escape_string($_POST["password"]);





$SQL = "SELECT * FROM members_tbl WHERE email ='".$email."' AND password = '".$password."'";

$rs = mysql_query($SQL,$conn);
$numRows = mysql_num_rows($rs);
$row = mysql_fetch_array($rs);


if($numRows == 1){
//do stuff
}else{

echo "user not found";
}





?>

Link to comment
Share on other sites
btherl Member

btherl

Posted
Posted

The script is secure from sql injection, since you use mysql_real_escape_string() on your inputs immediately before using them, and you place single quotes around them.

 

BUT, you might want to check that unusual passwords, particular ones including html special characters like less than, greater than and so on, are handled correctly.  You may need to urldecode() your inputs before escaping them for mysql.

Link to comment
Share on other sites
chelnov63 Member

chelnov63

Posted
  • Author
Posted

thanks for the input guys... Ive slightly modified it more and here's the final (i think) version ... if there is anything else u can recommend ..im all ears ..thanks in advance ..one thing in particular..is my INSERT statement secure?

 

//THIS FILES CHECKS WHETHER THE USER CAN LOG IN OR NOT
require_once("dbDetails.php");

function check_input($value){

if (get_magic_quotes_gpc()){ $value = stripslashes($value);} // Stripslashes
if (!is_numeric($value)){ $value = "'" . mysql_real_escape_string($value) . "'";} // Quote if not a number

return $value;
}

$email = check_input($_POST["email"]);
$password = check_input($_POST["password"]);

$SQL = "SELECT * FROM members_tbl WHERE email = $email AND password = $password";

$rs = mysql_query($SQL,$conn);
$numRows = mysql_num_rows($rs);
$row = mysql_fetch_array($rs);

//is the following part with $currentdate secure?

if($numRows == 1){
 $SQL = "UPDATE members_tbl SET last_login ='".$currentdate."' WHERE email = $email";
     $rs = mysql_query($SQL,$conn);
 echo "login=true";
}else{

echo "login=user not found";
}

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.