Security help with login page php

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Ryan_Core
Forum Newbie
Posts: 1
Joined: Mon Mar 15, 2010 11:45 am

Security help with login page php

Post by Ryan_Core »

Hi,
below is the login script I was hoping for some suggestions or feedback on how secure/ not secure it is against attack ?
also what would be the best method for garding against a brute force attack ?(best way to limit login attempts)

Code: Select all

<?php
 
    
 
session_start();
//------------------------------------------------------------------------
//connection to the database select table
include('connect.php');
 
//----------------------------------------------------//
//To Protect against Sql injection on mssql remove qoutes
 
$login = @str_replace("'", "''", $_POST['login']);
$password = @str_replace("'", "''", $_POST['password']);
$password = md5($password);
 
// To protect SQL injection Strip backslashes
$login = @strip_tags($login);
$login = @stripslashes($login);
$password = @strip_tags($password);
$password = @stripslashes($password);
//------------------------------------------------------//
 
//SQL query
try{
@$query = "SELECT * ";
@$query .= "FROM Members";
@$query .= "WHERE Username = '$login' AND Password = '$password'";
 
//execute the SQL query and return records
@$result = mssql_query($query);
 
//display the results
if($row = mssql_fetch_object($result))
{
  @$_SESSION['SESS_Memberz_ID'] = $row->Memberz_ID;
  @$_SESSION['SESS_Business'] = $row->Businesses_ID;
  @$_SESSION['SESS_FIRST_NAME'] = $row->firstnamez;
  @$_SESSION['SESS_LAST_NAME'] = $row->lastnamez;
//============================================================================
 
//============================================================================
    @header("location: member-index.php");
}
else
{
  @header("location: login-failed.php");
}
}
 catch(PDOException $e)
 {echo 'Login Failed. Please try again.';}
?>
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Security help with login page php

Post by flying_circus »

I am not that familiar with using Microsoft SQL with PHP, but here are a few thoughts.

1. Why are you error supressing every line of code?
2. MD5 is no longer cryptographically suitable for hashing passwords. Use sha256 at a minimum.
3. You should check data for existence before referencing it. example:

Code: Select all

$login = isset($_POST['login']) ? $_POST['login'] : '';
$login = @str_replace("'", "''", $login);
You could also run a sanity check to determine if login is empty. No sense in going further if it is empty, right?

4. Why should you str_replace anything in a password that you are about to hash?
5. Why would you hash a password and then try to strip tags and slashes?
6. I'm not sure the proper way to prevent SQL injection on MSSQL, but I would guess that it involves using prepared statements. That is the route I would take.

http://msdn.microsoft.com/en-us/library ... L.90).aspx
Post Reply