Page 1 of 1

secure login form

Posted: Wed Mar 16, 2011 8:56 am
by qqq2qqq
hi
i'm wanna secure login form for injection and ...
please ,i need.

Re: secure login form

Posted: Sun Mar 20, 2011 11:36 am
by social_experiment
Have you created any code? SQL injection can be easily stopped by escaping any user input using mysql_real_escape_string()

Re: secure login form

Posted: Tue Mar 22, 2011 1:30 am
by n.amin
hello, simply use

Code: Select all

mysql_real_escape_string($_post['field_name']);
Hope this is best.
qqq2qqq wrote:hi
i'm wanna secure login form for injection and ...
please ,i need.
Thank you

Re: secure login form

Posted: Tue Mar 22, 2011 5:13 am
by n.amin
n.amin wrote:hello, simply use

Code: Select all

mysql_real_escape_string($_post['field_name']);
Hope this is best.
qqq2qqq wrote:hi
i'm wanna secure login form for injection and ...
please ,i need.
Thank you

This is test cote....

Re: secure login form

Posted: Thu Mar 24, 2011 8:51 am
by Bind

Code: Select all

$sanitized_input_data_array = array_map('mysql_real_escape_string', $_POST);
array_map will sanitize (for mysql) the entire $_POST array no matter how many key=>values are there

you can also use $_REQUEST instead of $_POST to make this a generic function for all form types, like logins, search, registrations, polls, surveys, whatever.

thanks to AbraCadaver for turning me on to this function in a previous thread - I am using it a lot now

Re: secure login form

Posted: Thu Mar 24, 2011 12:15 pm
by relax4o
It's not bad to make a check, whether magic quotes are stopped.

Code: Select all

if(!get_magic_quotes_gpc()){
        $secure = array_map('mysql_real_escape_string', $_POST);
}
else{
        $secure = $_POST;
}

Re: secure login form

Posted: Thu Mar 24, 2011 12:59 pm
by Mordred
This is not a wise practice and betrays a fundamental misunderstanding of how to handle escaping. You should escape the variables that go in a query, not everything that comes as input in your script.

Re: secure login form

Posted: Thu Mar 24, 2011 11:39 pm
by Bind
Mordred wrote:This is not a wise practice and betrays a fundamental misunderstanding of how to handle escaping. You should escape the variables that go in a query, not everything that comes as input in your script.
why ?

I disagree that it PORtrays a fundamental misunderstanding of how to handle escaping, because the person using it obviously understands that escaping is needed, and is trying to be fast and efficient about it, and is doing it no differently than if you would do it line by line with alot more code, so no misunderstanding exists at all. It's leaner, more efficient, less time consuming to code, and is generic in nature to handle all form mysql sanitation needs making it an ideal solution that can be reused over and over again infinately for just that purpose. Who cares if you are throwing in one or two $key=>$values every once in a while that isnt an absolute requirement, but hey if you want to take the time to hand code sanitation for every form you make, got for it.

Personally, I make a boatload of forms. That one of the biggest sellers for customers who want interaction with their visitors and members - polls, surveys, questionaires, order forms, contact forms, etc.

Do that for a 1000 question survey time after time and you will quickly find that automation and efficiency is your friend.

There is nothing wrong with efficiency when there are no negatives.

Now, if you could demonstrate where it would consume excessive server resources or provide an expoitable insecurity, then its a totally different story.

Re: secure login form

Posted: Fri Mar 25, 2011 3:00 am
by Mordred
Of course you should do it efficiently. The question is should you do it like that.

What do you think of this code:

Code: Select all

$foo = $sanitized_input_data_array['foo'];
mysql_query("UPDATE bar SET foo='$foo'");
echo "Hello, $foo";
//... later
$result = mysql_query("SELECT foo FROM bar");
$array = mysql_fetch_array($result, MYSQL_ASSOC);
$foo = $array['foo'];
mysql_query("UPDATE baz SET foo='$foo'");
echo "Hey, $foo, you're in baz now!";

Re: secure login form

Posted: Tue Mar 29, 2011 12:38 pm
by Mordred
Do you care to answer, Bind?

Anyone else "in the hall" wanna jump in the riddle? ;)

Re: secure login form

Posted: Thu Mar 31, 2011 8:52 am
by foxmahesh
you can used MD5 and sha1 combination for password filed