secure login form

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
qqq2qqq
Forum Newbie
Posts: 1
Joined: Wed Mar 16, 2011 8:52 am

secure login form

Post by qqq2qqq »

hi
i'm wanna secure login form for injection and ...
please ,i need.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: secure login form

Post by social_experiment »

Have you created any code? SQL injection can be easily stopped by escaping any user input using mysql_real_escape_string()
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
n.amin
Forum Newbie
Posts: 3
Joined: Sun Mar 20, 2011 4:03 am
Location: Dhaka, Bangladesh
Contact:

Re: secure login form

Post by n.amin »

hello, simply use

Code: Select all

mysql_real_escape_string($_post['field_name']);
Hope this is best.
qqq2qqq wrote:hi
i'm wanna secure login form for injection and ...
please ,i need.
Thank you
User avatar
n.amin
Forum Newbie
Posts: 3
Joined: Sun Mar 20, 2011 4:03 am
Location: Dhaka, Bangladesh
Contact:

Re: secure login form

Post by n.amin »

n.amin wrote:hello, simply use

Code: Select all

mysql_real_escape_string($_post['field_name']);
Hope this is best.
qqq2qqq wrote:hi
i'm wanna secure login form for injection and ...
please ,i need.
Thank you

This is test cote....
Bind
Forum Contributor
Posts: 102
Joined: Wed Feb 03, 2010 1:22 am

Re: secure login form

Post by Bind »

Code: Select all

$sanitized_input_data_array = array_map('mysql_real_escape_string', $_POST);
array_map will sanitize (for mysql) the entire $_POST array no matter how many key=>values are there

you can also use $_REQUEST instead of $_POST to make this a generic function for all form types, like logins, search, registrations, polls, surveys, whatever.

thanks to AbraCadaver for turning me on to this function in a previous thread - I am using it a lot now
relax4o
Forum Newbie
Posts: 1
Joined: Thu Mar 24, 2011 3:37 am

Re: secure login form

Post by relax4o »

It's not bad to make a check, whether magic quotes are stopped.

Code: Select all

if(!get_magic_quotes_gpc()){
        $secure = array_map('mysql_real_escape_string', $_POST);
}
else{
        $secure = $_POST;
}
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: secure login form

Post by Mordred »

This is not a wise practice and betrays a fundamental misunderstanding of how to handle escaping. You should escape the variables that go in a query, not everything that comes as input in your script.
Bind
Forum Contributor
Posts: 102
Joined: Wed Feb 03, 2010 1:22 am

Re: secure login form

Post by Bind »

Mordred wrote:This is not a wise practice and betrays a fundamental misunderstanding of how to handle escaping. You should escape the variables that go in a query, not everything that comes as input in your script.
why ?

I disagree that it PORtrays a fundamental misunderstanding of how to handle escaping, because the person using it obviously understands that escaping is needed, and is trying to be fast and efficient about it, and is doing it no differently than if you would do it line by line with alot more code, so no misunderstanding exists at all. It's leaner, more efficient, less time consuming to code, and is generic in nature to handle all form mysql sanitation needs making it an ideal solution that can be reused over and over again infinately for just that purpose. Who cares if you are throwing in one or two $key=>$values every once in a while that isnt an absolute requirement, but hey if you want to take the time to hand code sanitation for every form you make, got for it.

Personally, I make a boatload of forms. That one of the biggest sellers for customers who want interaction with their visitors and members - polls, surveys, questionaires, order forms, contact forms, etc.

Do that for a 1000 question survey time after time and you will quickly find that automation and efficiency is your friend.

There is nothing wrong with efficiency when there are no negatives.

Now, if you could demonstrate where it would consume excessive server resources or provide an expoitable insecurity, then its a totally different story.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: secure login form

Post by Mordred »

Of course you should do it efficiently. The question is should you do it like that.

What do you think of this code:

Code: Select all

$foo = $sanitized_input_data_array['foo'];
mysql_query("UPDATE bar SET foo='$foo'");
echo "Hello, $foo";
//... later
$result = mysql_query("SELECT foo FROM bar");
$array = mysql_fetch_array($result, MYSQL_ASSOC);
$foo = $array['foo'];
mysql_query("UPDATE baz SET foo='$foo'");
echo "Hey, $foo, you're in baz now!";
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: secure login form

Post by Mordred »

Do you care to answer, Bind?

Anyone else "in the hall" wanna jump in the riddle? ;)
foxmahesh
Forum Newbie
Posts: 5
Joined: Thu Mar 31, 2011 8:34 am

Re: secure login form

Post by foxmahesh »

you can used MD5 and sha1 combination for password filed
Post Reply