secure login form
Moderator: General Moderators
secure login form
hi
i'm wanna secure login form for injection and ...
please ,i need.
i'm wanna secure login form for injection and ...
please ,i need.
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: secure login form
Have you created any code? SQL injection can be easily stopped by escaping any user input using mysql_real_escape_string()
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Re: secure login form
hello, simply use
Hope this is best.
Code: Select all
mysql_real_escape_string($_post['field_name']);
Thank youqqq2qqq wrote:hi
i'm wanna secure login form for injection and ...
please ,i need.
Re: secure login form
n.amin wrote:hello, simply useHope this is best.Code: Select all
mysql_real_escape_string($_post['field_name']);Thank youqqq2qqq wrote:hi
i'm wanna secure login form for injection and ...
please ,i need.
This is test cote....
Re: secure login form
Code: Select all
$sanitized_input_data_array = array_map('mysql_real_escape_string', $_POST);you can also use $_REQUEST instead of $_POST to make this a generic function for all form types, like logins, search, registrations, polls, surveys, whatever.
thanks to AbraCadaver for turning me on to this function in a previous thread - I am using it a lot now
Re: secure login form
It's not bad to make a check, whether magic quotes are stopped.
Code: Select all
if(!get_magic_quotes_gpc()){
$secure = array_map('mysql_real_escape_string', $_POST);
}
else{
$secure = $_POST;
}
Re: secure login form
This is not a wise practice and betrays a fundamental misunderstanding of how to handle escaping. You should escape the variables that go in a query, not everything that comes as input in your script.
Re: secure login form
why ?Mordred wrote:This is not a wise practice and betrays a fundamental misunderstanding of how to handle escaping. You should escape the variables that go in a query, not everything that comes as input in your script.
I disagree that it PORtrays a fundamental misunderstanding of how to handle escaping, because the person using it obviously understands that escaping is needed, and is trying to be fast and efficient about it, and is doing it no differently than if you would do it line by line with alot more code, so no misunderstanding exists at all. It's leaner, more efficient, less time consuming to code, and is generic in nature to handle all form mysql sanitation needs making it an ideal solution that can be reused over and over again infinately for just that purpose. Who cares if you are throwing in one or two $key=>$values every once in a while that isnt an absolute requirement, but hey if you want to take the time to hand code sanitation for every form you make, got for it.
Personally, I make a boatload of forms. That one of the biggest sellers for customers who want interaction with their visitors and members - polls, surveys, questionaires, order forms, contact forms, etc.
Do that for a 1000 question survey time after time and you will quickly find that automation and efficiency is your friend.
There is nothing wrong with efficiency when there are no negatives.
Now, if you could demonstrate where it would consume excessive server resources or provide an expoitable insecurity, then its a totally different story.
Re: secure login form
Of course you should do it efficiently. The question is should you do it like that.
What do you think of this code:
What do you think of this code:
Code: Select all
$foo = $sanitized_input_data_array['foo'];
mysql_query("UPDATE bar SET foo='$foo'");
echo "Hello, $foo";
//... later
$result = mysql_query("SELECT foo FROM bar");
$array = mysql_fetch_array($result, MYSQL_ASSOC);
$foo = $array['foo'];
mysql_query("UPDATE baz SET foo='$foo'");
echo "Hey, $foo, you're in baz now!";Re: secure login form
Do you care to answer, Bind?
Anyone else "in the hall" wanna jump in the riddle?
Anyone else "in the hall" wanna jump in the riddle?
Re: secure login form
you can used MD5 and sha1 combination for password filed