You are not logged in.
I am designing a PHP/MySQLi based site and need to be confident the end-users will not be able to muck around using SQL injection. Here is the part which allows the end-user to sign in. I've tried using a SQL injection by entering ' OR 1=1# into the username and password fields but thankfully it seems to be passing that test. Does anyone else see any security concerns? Thanks in advance...
$username_input = $_POST['username_input'];
$pwd_input = $_POST['pwd_input'];
if ($username_input && $pwd_input)
if ($statement = $link->prepare("SELECT id, default_language FROM users WHERE active = '1' AND username LIKE BINARY ? AND pwd LIKE BINARY ?")) {
$statement->bind_param("ss", $username_input, $pwd_input);
$statement->execute();
$statement->bind_result($user_id, $default_language);
while ($statement->fetch()) {
$user_signed_in = $user_id;
$_SESSION['user_signed_in'] = $user_id;
$_SESSION['lang'] = $default_language;
$lang = $default_language;
}
$statement->close();
}Last edited by tony5429 (2010-01-03 05:47:10)
Offline
Parametrized queries will be safe from sql injection. I guess the database library documentation will give you all the details on what actually happens to the parameter strings.
You might want to consider adding LIMIT = 1 to the query since you only want one row back from the db. Can sometimes speed the query up.
Don't store raw passwords. Hash the password and store that. People are stupid and use the same password for everything. You don't want a load of ebay and paypal logins in your db. Searching google for password hashing will give plenty of hits.
Offline
Thanks for the info! Good tip about limit 1; I've updated it. Glad to hear I'm safe from SQL injection with the prepared statement.
As for password hashing, I've considered doing it but my main drawback is that I'd like to be able to provide a password-emailing service in case someone has forgotten their password. Also, I will be the only person with root access to the server this site is eventually going on.
Offline
I find it scary when sites e-mail me my password. They shouldn't have to know it; that they do means that the webmaster has access to a plaintext of my password. I tend to use different passwords for different things, but many people use the same password for random websites, their email, and their online banking. How comfortable should they feel that you now have access to all those things just by signing up for your site?
In short, don't store passwords in plaintext; store the hashes and provide an e-mail based password reset service, rather than password reminders.
Offline
Good points, tavianator. E-mail based password resetting would not require plaintext passwords to be stored... I'll probably go that route. Thanks for all the help everyone!
Offline