Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
hi guy i'm creating login page but i'm not sure my code is security , isn't it ? Could anybody tell me Is this security ?
and if you have any idea , pls tell me
thanks
No, it's not secure. You're vulnerable to SQL injection attacks because you're not escaping the user input. Read the manual page for mysql_real_escape_string().
thanks for your reply but i'm working with PHP Version 4.4.7 and value of magic_quotes_gpc=on .
1.why do i have to use mysql_real_escape_string() ? ,
if my php config set magic_quotes_gpc=on . it will return value like value of function addslash(), won't it ?
if my php config set magic_quotes_gpc=on is it not secure enough for attacking ?
2.should i use mysql_real_escape_string() only ? can i use addslash() instead mysql_real_escape_string() ?
3.how is it different between mysql_real_escape_string() and addslash() ? how is mysql_real_escape_string() better than addslash() ?
Session Fixation attacks are pretty straightforward in your case.
goldensparrow wrote:this code have other weakness ?
You can pretty much always strengthen your application. Session security, for instance, can be made a lot stronger in many cases.
By the way, you inserted user supplied variables directly into the session variables, so, whenever you use those session variables, don't forget that they were supplied by the user.
kaisellgren wrote:
By the way, you inserted user supplied variables directly into the session variables, so, whenever you use those session variables, don't forget that they were supplied by the user.
what should i do ? , pls to illustate with my code