chelnov63 Posted April 25, 2007 Share Posted April 25, 2007 hi guys... how secure is this login script from sql injection...is there anyway i can make it more secure? thanks... my host has php4.3 <?php //THIS FILES CHECKS WHETHER THE USER CAN LOG IN OR NOT require_once("dbDetails.php"); $email = mysql_real_escape_string($_POST["email"]); $password = mysql_real_escape_string($_POST["password"]); $SQL = "SELECT * FROM members_tbl WHERE email ='".$email."' AND password = '".$password."'"; $rs = mysql_query($SQL,$conn); $numRows = mysql_num_rows($rs); $row = mysql_fetch_array($rs); if($numRows == 1){ //do stuff }else{ echo "user not found"; } ?> Quote Link to comment Share on other sites More sharing options...
btherl Posted April 26, 2007 Share Posted April 26, 2007 The script is secure from sql injection, since you use mysql_real_escape_string() on your inputs immediately before using them, and you place single quotes around them. BUT, you might want to check that unusual passwords, particular ones including html special characters like less than, greater than and so on, are handled correctly. You may need to urldecode() your inputs before escaping them for mysql. Quote Link to comment Share on other sites More sharing options...
clown[NOR] Posted April 26, 2007 Share Posted April 26, 2007 i always add a strip_tags() just incase.. what exactly is it that the urldecode() function does? Quote Link to comment Share on other sites More sharing options...
sw0o0sh Posted April 26, 2007 Share Posted April 26, 2007 link=topic=137817.msg584010#msg584010 date=1177553231] i always add a strip_tags() just incase.. what exactly is it that the urldecode() function does? http://php.net/urldecode Quote Link to comment Share on other sites More sharing options...
chelnov63 Posted April 26, 2007 Author Share Posted April 26, 2007 thanks for the input guys... Ive slightly modified it more and here's the final (i think) version ... if there is anything else u can recommend ..im all ears ..thanks in advance ..one thing in particular..is my INSERT statement secure? //THIS FILES CHECKS WHETHER THE USER CAN LOG IN OR NOT require_once("dbDetails.php"); function check_input($value){ if (get_magic_quotes_gpc()){ $value = stripslashes($value);} // Stripslashes if (!is_numeric($value)){ $value = "'" . mysql_real_escape_string($value) . "'";} // Quote if not a number return $value; } $email = check_input($_POST["email"]); $password = check_input($_POST["password"]); $SQL = "SELECT * FROM members_tbl WHERE email = $email AND password = $password"; $rs = mysql_query($SQL,$conn); $numRows = mysql_num_rows($rs); $row = mysql_fetch_array($rs); //is the following part with $currentdate secure? if($numRows == 1){ $SQL = "UPDATE members_tbl SET last_login ='".$currentdate."' WHERE email = $email"; $rs = mysql_query($SQL,$conn); echo "login=true"; }else{ echo "login=user not found"; } Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.