Help with PHP Login Stuff

[iyanski]

---

<?php
session_start();

echo "Hello World Success!."<br>";

if(isset($_SESSION['AllowAdmin']))
{
echo "Admin is set";
}
else {
echo "Admin not set";
}
?>

dont also forget to add slashes to your post variables, or you might get injected with malicious data.

[simoncpu]

Code:

$username = $_POST['UName'];
$password = $_POST['PWord'];
    
$query = "SELECT username,pword,usertype FROM user_info WHERE username = '$username' AND pword = '$password'";
$result = mysql_query($query);

From a security perspective, the above code is absolutely not advisable. Crackers can easily gain access to your system using the following password:

Code:

' or 1 = '1

Worse, they can even do:

Code:

'; DROP DATABASE user_info; #

The correct usage is:

Code:

$username = $_POST['UName'];
$password = $_POST['PWord'];
     
$query = "SELECT username, pword, usertype FROM user_info WHERE username = '$username' AND pword = '$password'";
$result = mysql_query(mysql_real_escape_string($query));

The best way to prevent SQL injection attacks, however, is to use PDO Prepared Statements.

Regards,


[ simon.cpu ]

[spikes]

OT: question lang guys. Wla bay API sa PHP nga simple username and password ang imo i pass, then let the server do the authentication? Sa J2EE man gud, pwede gamit og JAAS then let the server authenticate. simple xml config and simple html. Curious lang ko. Thanks.

[pulchra]

ako sad ask sad ko bahin salog-in!

unsaon pag eror trap sa log-in username and password?

if ang username nya is like this>> UseRname or password is like this> PassswoRD

unsaon pagtrap ani na case sensitive siya?

kay ang ako gud mosolod sya or true sya kng ang case kay all caps or not or combination!

[pulchra]

mosolod sya basta sakto lang ang username/password bisag dili parehas ug case?
naa bay built in function ani or maghimo jud ta??
cge salamat sa n u mga master!

[wildfrog]

bai, e change ang field type to binary para maka case sensitive ka.

den...kung gusto ka more secure..try to encrypt the password, ayaw gamit sa mysql function ecryption...gamit ug code na imo settings ang encryption.. ma decode man gud ghpon ang encryption function sa mysql. himo ug function gamit ang php para mo encrypt ug data.

[Tin_Tin]

Code:

$username = $_POST['UName'];
$password = $_POST['PWord'];
    
$query = "SELECT username,pword,usertype FROM user_info WHERE username = '$username' AND pword = '$password'";
$result = mysql_query($query);

From a security perspective, the above code is absolutely not advisable. Crackers can easily gain access to your system using the following password:

Code:

' or 1 = '1

Worse, they can even do:

Code:

'; DROP DATABASE user_info; #

The correct usage is:

Code:

$username = $_POST['UName'];
$password = $_POST['PWord'];
     
$query = "SELECT username, pword, usertype FROM user_info WHERE username = '$username' AND pword = '$password'";
$result = mysql_query(mysql_real_escape_string($query));

The best way to prevent SQL injection attacks, however, is to use PDO Prepared Statements.

Regards,


[ simon.cpu ]

dili diay na i automatic escape sa php ang mga lines nga naay ' ug ". . ?