How to prevent special character combinations cheating my login process

Question

My login form works fine unless the user passes strings like '1 or 1' or '1'='1' which ignores the login process and validate the user anyway.

Here is my client side code.

$scope.user_login=function(){
    if($scope.user_name==''){
        alert('user name filed should not keep blank');
        loginField.borderColor('txtname');
    }else if($scope.user_pass==''){
        alert('password filed should not keep blank');
        loginField.borderColor('txtpwd');
    }else{
        var userData={'user_name':$scope.user_name,'user_pass':$scope.user_pass};
        $http({
            method: 'POST',
            url: "php/Login/login.php",
            data: userData,
            headers: { 'Content-Type': 'application/x-www-form-urlencoded' }
        }).then(function successCallback(response){
            console.log('login',response);
            //alert("aa"+response.data['msg']);
            if(response.data['user_type']=='1'){
            $location.path('dashboard');
            }

        },function errorCallback(response) {
            //alert(""+response.data['msg'].length);
            if(response.data['msg'].length > 0)
                alert(response.data['msg']);
            $scope.user_name=null;
            $scope.user_pass=null;
        });

    }
    }

Please help me to resolve this issue.

@CharlieH : Actually when i am typing total `1' or '1' = '1' or '1` value the page is getting login. — , Nov 07 '15 at 07:58

score 0 · Answer 1 · edited May 23 '17 at 10:27

0

This is sql injection. It should be prevented in your login.php.

Please read this article and use the techniques described in it to solve your problem.

Here is an SO question about this: How can I prevent SQL injection in PHP?

edited May 23 '17 at 10:27

Community

1
1

answered Nov 07 '15 at 08:08

Charlie

22,886
11
59
90

How to prevent special character combinations cheating my login process

1 Answers1