database and application security
Posted: Thu Feb 01, 2007 11:33 am
Hi all
I need advice on securing database.
Database is strictly confidential, and lot of users are going to use application (php & mysql). What can I do to make db secure, and prevent user attacks on application & db.
Current situation is: connection to database (file conn.php) is in folder /public_html/admin/. Should I remove it outside /public_html/ ?
Authorization code (login) is :
What should be changed in login code to improve security and authorization and access to database and data in database?
Any advice is welcome
regards ddragas
I need advice on securing database.
Database is strictly confidential, and lot of users are going to use application (php & mysql). What can I do to make db secure, and prevent user attacks on application & db.
Current situation is: connection to database (file conn.php) is in folder /public_html/admin/. Should I remove it outside /public_html/ ?
Authorization code (login) is :
Code: Select all
if(isset($_POST['prihvati']))
{
if(isset($_SESSION['some_user']))
{
$some_user = $_SESSION['some_user'] ;
}
if((isset($_POST['username'])) and (isset($_POST['pass'])))
{
$kor_ime = $_POST['some_user'];
$loz = $_POST['pass'];
$lozinka = md5($loz);
include("../admin/con_db.php");
$sel = "SELECT * FROM users where email = '$kor_ime' and lozinka_md5 = '$lozinka'";
$quer = mysql_query($sel);
$row = mysql_fetch_array($quer);
$some_user = $_SESSION['some_user'] = $row["id"];
$Ime = utf8_decode(stripslashes($row["ime"]));
$Prezime = utf8_decode(stripslashes($row["prezime"]));
}
if(isset($some_user))
{
include("../admin/conn.php");
$sel = "SELECT * FROM users where id='$some_user'";
$quer = mysql_query($sel);
$row = mysql_fetch_array($quer);
$some_user = $_SESSION['some_user'] = $row["id"];
$Ime = utf8_decode(stripslashes($row["ime"]));
$Prezime = utf8_decode(stripslashes($row["prezime"]));
}
if(empty($some_user))
{
echo "<br>";
echo "error in autorisation.";
echo "<br>";
session_destroy();
}
else
{
echo "WELCOME " . $Ime . " " . $Prezime;
echo "<br>\n" . "<br>\n" . "Wait a minute ..........";
echo "<meta http-equiv=\"refresh\" content=\"1;URL='main.php'\">\n";
}
}What should be changed in login code to improve security and authorization and access to database and data in database?
Any advice is welcome
regards ddragas