Hacker Proofing My Login

[MrFish]

I'm making a login right now, I'm nearly finished and about to set up the sessions and stuff, but how do I protect it from hackers? Will, stripslashes() work? I've read a lot of opinions about how to protect a form from "mysql injection" (as it's called). I was searching for a way to do it but haven't read anything like, "this is HOW you do it", more like "This is how I do it". Does anyone know a surefire, simple way to protect my forms from this? Do I need more then stripslashes()?Also, as a side note. I'm using ajax for my login. Will it be a problem if I use the GET method in this way?

ajaxRequest.open("GET", "includes/login.php?username=" + username + "&password=" + password, "true");ajaxRequest.send(null);

[smerny]

mysql_escape_real_string()

[ProblemHelpPlease]

Using mod_rewrite can help to disguise your files and variables, really easy to follow tutorial here

[Guest FirefoxRocks]

1. NEVER send passwords via HTTP GET. They appear in the URL, even though you are using AJAX. Instead, learn how to do AJAX HTTP POST correctly (it's a bit harder than AJAX HTTP GET, if you find it too difficult you can use a JavaScript library that includes AJAX such as jQuery).2. Make sure you know what you are inputting. This means check and possibly sanitize your GET and POST requests like this:

<?php	if(isset($_GET["username"]) && is_string($_GET["username"] && !empty($_GET["username"])){		(string)$username = mysql_real_escape_string($_GET["username"]);	}?>

is_string checks for a string, is_numeric checks for numbers (integers and decimals), there's also a few other is_ functions, check the PHP documentation.3. If you are using PHP 5, you can use the filter() function to sanitize the input. I'm not going to go over this right here at the moment.Hope this helps!!

[Synook]

Use SSL.

[MrFish]

Ok, thanks. I'll make that ajax request a post method and look into the mysql_real_escape_string.

[justsomeguy]

In order to protect against SQL injections, just make sure your different values don't contain anything they shouldn't. For text fields, all you need to do is use mysql_real_escape_string, it's similar to addslashes except it pays attention to the actual character set being used by the database. The key is that you only need to stop single quotes from breaking the query. For number fields, use either intval or floatval to convert them to make sure they're actually numbers and not text. You need to use those functions on any data that's not under your control, anything that comes from get or post or cookies needs to be sanitized. e.g.:$str = mysql_real_escape_string($string_val);$int = intval($num_str);$float = floatval($num_str);

[es131245]

why does mysql_real_escape_string() need MySQL connection??!?!????!???!!?Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'www-data'@'localhost' (using password: NO) in /var/www/index.php on line 36Line 36:mysql_real_escape_string($try_login); mysql_real_escape_string($try_psw);Or what can i do inif ($_POST["try_login"] && $_POST["try_psw"]){$try_login=$_POST["try_login"]; $try_psw=$_POST["try_psw"];mysql_real_escape_string($try_login); mysql_real_escape_string($try_psw);$try_login=md5($try_login); $try_psw=md5($try_psw);$query=("SELECT * FROM users WHERE loginmd5='$try_login' AND pswmd5='$try_psw'");if ($query){$sql_c=mysql_connect("localhost","######","######") or die($sql_c_die);$sql_s=mysql_select_db("DATABASE",$sql_c) or die($sql_s_die);mysql_query($query); $row=mysql_fetch_assoc($query);if ($row){$id=$row['id']; $nick=$row['nick']; $login=$row['loginmd5']; $psw=$row['pswmd5'];}fclose($sqc_c);

[justsomeguy]

why does mysql_real_escape_string() need MySQL connection??!?!????!???!!?

Calm down. Look it up:http://www.php.net/manual/en/function.mysq...cape-string.php

Escapes special characters in the unescaped_string , taking into account the current character set of the connection

[es131245]

One more thing...Does MySQL connection limits setcookie()??????

[justsomeguy]

First of all, is one "?" not enough?No, making a connection to MySQL doesn't have any effect on cookie behavior.

[es131245]

41 mysql_query($query); $row=mysql_fetch_assoc($query);42 if ($row){$id=$row['id']; $nick=$row['nick']; $login=$row['loginmd5']; $psw=$row['pswmd5'];}43 mysql_close($sql_c);}44 setcookie("LastVisit","$date_date $date_time$date_seconds",time()+3600*24*365);45 if ($_GET["act"]=="regme"){setcookie ('human',md5($regme_code),0);}46 if ($id && $user && $psw && $login){47 setcookie("id","$id",time()+3600*24*365); setcookie("user","$nick",time()+3600*24*365);Warning: Cannot modify header information - headers already sent by (output started at /var/www/index.php:41) in /var/www/index.php on line 44??????????

[justsomeguy]

Check here for a description about that error. You can't send output before you send headers.http://w3schools.invisionzone.com/index.php?showtopic=12509