Jump to content

Hacker Proofing My Login


MrFish
 Share

Recommended Posts

I'm making a login right now, I'm nearly finished and about to set up the sessions and stuff, but how do I protect it from hackers? Will, stripslashes() work? I've read a lot of opinions about how to protect a form from "mysql injection" (as it's called). I was searching for a way to do it but haven't read anything like, "this is HOW you do it", more like "This is how I do it". Does anyone know a surefire, simple way to protect my forms from this? Do I need more then stripslashes()?Also, as a side note. I'm using ajax for my login. Will it be a problem if I use the GET method in this way?

ajaxRequest.open("GET", "includes/login.php?username=" + username + "&password=" + password, "true");ajaxRequest.send(null);

Link to comment
Share on other sites

Guest FirefoxRocks

1. NEVER send passwords via HTTP GET. They appear in the URL, even though you are using AJAX. Instead, learn how to do AJAX HTTP POST correctly (it's a bit harder than AJAX HTTP GET, if you find it too difficult you can use a JavaScript library that includes AJAX such as jQuery).2. Make sure you know what you are inputting. This means check and possibly sanitize your GET and POST requests like this:

<?php	if(isset($_GET["username"]) && is_string($_GET["username"] && !empty($_GET["username"])){		(string)$username = mysql_real_escape_string($_GET["username"]);	}?>

is_string checks for a string, is_numeric checks for numbers (integers and decimals), there's also a few other is_ functions, check the PHP documentation.3. If you are using PHP 5, you can use the filter() function to sanitize the input. I'm not going to go over this right here at the moment.Hope this helps!!

Edited by FirefoxRocks
Link to comment
Share on other sites

Ok, thanks. I'll make that ajax request a post method and look into the mysql_real_escape_string.

Edited by MrFish
Link to comment
Share on other sites

In order to protect against SQL injections, just make sure your different values don't contain anything they shouldn't. For text fields, all you need to do is use mysql_real_escape_string, it's similar to addslashes except it pays attention to the actual character set being used by the database. The key is that you only need to stop single quotes from breaking the query. For number fields, use either intval or floatval to convert them to make sure they're actually numbers and not text. You need to use those functions on any data that's not under your control, anything that comes from get or post or cookies needs to be sanitized. e.g.:$str = mysql_real_escape_string($string_val);$int = intval($num_str);$float = floatval($num_str);

Link to comment
Share on other sites

why does mysql_real_escape_string() need MySQL connection??!?!????!???!!?Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'www-data'@'localhost' (using password: NO) in /var/www/index.php on line 36Line 36:mysql_real_escape_string($try_login); mysql_real_escape_string($try_psw);Or what can i do inif ($_POST["try_login"] && $_POST["try_psw"]){$try_login=$_POST["try_login"]; $try_psw=$_POST["try_psw"];mysql_real_escape_string($try_login); mysql_real_escape_string($try_psw);$try_login=md5($try_login); $try_psw=md5($try_psw);$query=("SELECT * FROM users WHERE loginmd5='$try_login' AND pswmd5='$try_psw'");if ($query){$sql_c=mysql_connect("localhost","######","######") or die($sql_c_die);$sql_s=mysql_select_db("DATABASE",$sql_c) or die($sql_s_die);mysql_query($query); $row=mysql_fetch_assoc($query);if ($row){$id=$row['id']; $nick=$row['nick']; $login=$row['loginmd5']; $psw=$row['pswmd5'];}fclose($sqc_c);

Link to comment
Share on other sites

41 mysql_query($query); $row=mysql_fetch_assoc($query);42 if ($row){$id=$row['id']; $nick=$row['nick']; $login=$row['loginmd5']; $psw=$row['pswmd5'];}43 mysql_close($sql_c);}44 setcookie("LastVisit","$date_date $date_time$date_seconds",time()+3600*24*365);45 if ($_GET["act"]=="regme"){setcookie ('human',md5($regme_code),0);}46 if ($id && $user && $psw && $login){47 setcookie("id","$id",time()+3600*24*365); setcookie("user","$nick",time()+3600*24*365);Warning: Cannot modify header information - headers already sent by (output started at /var/www/index.php:41) in /var/www/index.php on line 44??????????

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...