1

I saw several examples and people using this way to query the database in a login form. I'm not fully sure is this is the best way to do a login form secure.

This is the query in PHP:

    $query = "SELECT * FROM users WHERE usern = '".$_POST['username']."' AND passw = '".md5($_POST['password'])."'";

Is enough having md5() on the password post to avoid sql injection?. I think that the md5 function will convert all characters and sql strings to a 32 char string.

Which other ways can I protect the login form?

admin
  • 41
  • 1
  • 6

7 Answers7

6

mysql_real_escape_string($_POST['username']), etc.

Although it's better to use the mysqli extension and use prepared statements.

(Assuming you're using MySQL)

Edit: In response to the comment below, it might be good to use this for LIKE queries:

addcslashes(mysql_real_escape_string($_POST['username']), '%_')

Michael
  • 11,912
  • 6
  • 49
  • 64
  • 1
    +1 for prepared statements - it is much better to pass the data you're about to insert as **data** than to have SQL strings you wrote mixed with untrusted strings coming from the user – Deebster Mar 30 '12 at 15:41
  • definately +1 for the prepared statements... mind you **"mysql_real_escape_string()"** does not escape "%". check out the notes section in php.net/manual/en/function.mysql-real-escape-string.php – Kishor Kundan Mar 30 '12 at 15:45
  • 1
    Yes, although that's only an issue when using `LIKE`. You can use `addcslashes()` to help with that. – Michael Mar 30 '12 at 15:48
0

Just one simple solution use parameters for fields like username and password so that SQL command string is separably sent from the parameters and then attacker will only get blank responses.When parameters are used SQL command string is parsed and compiled separately from the parameters. Using prepared statements is the best solution.

0

You must sanitize your data before you let it near your database. The simplest way to do this is by using mysql_real_escape_string($_POST['username']) but this is only the very least you need to do.

If you're using a framework like CodeIgniter, you can use their in-build functionality which strips $_POST or $_GET inputs of any XSS risk. Otherwise, I'd recommend these posts:

Community
  • 1
  • 1
hohner
  • 11,498
  • 8
  • 49
  • 84
0

You need to escape $_POST['username'] as well

and yes md5 will protect you from sql injection.

For this example, something like this would be ok

$query = "SELECT * FROM users WHERE MD5(usern) = '".md5($_POST['username'])."' AND passw = '".md5($_POST['password'])."'";
ahmetunal
  • 3,930
  • 1
  • 23
  • 26
  • not a bright idea I know, responded within the context of the question, but instead of comparing usernames, compare md5's of usernames.At least, this wayi you dont need to worry about the injection for login. – ahmetunal Mar 30 '12 at 15:50
  • Until he tries to do an `INSERT` or an `UPDATE` to `SET` the `usern`. :) – Michael Mar 30 '12 at 15:52
0

The way you have build your query easily allows to inject pieces of code in the username. You can use prepared statements to avoid that: http://php.net/manual/en/pdo.prepared-statements.php

Prepared statements basically will describe how the statement will be structured, and adds the data afterwards. This way, the user can not alter the structure of the statement with the input data.

W. Goeman
  • 1,674
  • 2
  • 15
  • 31
0

If you make a function which sanitizes all POSTS and GETS you are safe 

function clean() { 
    foreach($_POST as $key => $val) { 
        $_POST[$key] = mysql_real_escape_string($val);
    } 
}

You can also use PDO and statements with variables, and PDO will clean automatically.

gosukiwi
  • 1,569
  • 1
  • 27
  • 44
0
<?php

try {
    $dbh = new PDO("mysql:host=$hostname;dbname=$db", $dbusername, $dbpassword);

    $query = "SELECT * FROM users WHERE usern = ? AND passw = ?";
    $sth=$dbh->prepare($sql);
    $sth->execute(array($_POST['username'], md5($_POST['password']));
    $result =  $sth->fetch();
}
} catch(PDOException $e) {
    echo $e->getMessage();
    exit;
}

PDO is the Best way to stop SQL Injection in PHP

Community
  • 1
  • 1
Alex L
  • 8,419
  • 6
  • 43
  • 51