I'm doing a PHP login page taking posted vars and putting in mysql_connect params. Is it a bad practice?

StackOverflow https://stackoverflow.com/questions/7006331

  •  16-12-2020
  •  | 
  •  

Domanda

first of all, thanks for your time. Like the subject says... i'm doing a login page, but every search send me to the same code:

use posted user & pass
connect to mysql
search for the user & pass posted
if returns records then ok 
else bad access

but i'm doing this way (and i hope some one can tell me if i'm doing it wrong and why)

session_start();
$user=$_POST['user'];
$pass=$_POST['password'];
$link=mysql_connect('localhost',$user,$pass);
if(!link){
   echo "Access denied";
}else{
   echo "Access OK";
   $_SESSION['user']=$user;
   $_SESSION['password']=$password;
}

And each time i need to verify if user is logged in, i do the same connecting to mysql. Is there here the posibility of code injection? (Like Sql Injection, PHP script or anything else) Is this a bad practice? is there any risk?

BTW, this works fine for me but i want to put it on internet and i don't want to be hacked. Thanks

È stato utile?

Soluzione

Your code as it stands is not vulnerable to SQL injection, despite what the other answers say. The reason is that you're seriously misusing SQL.

Your database credentials and your user's credentials should not be the same thing. Your database username/password should be a secret shared between your PHP script and your database. Typically you would then create a users table within the database, and store your user records there. This is why the tutorials you mention select a user record and compare the password - there are multiple user records stored inside the database as data in a table.

With your current system, you will have to create a new database user for each and every user of your system. This is going to be an administrative nightmare and introduces a whole bunch of new security troubles.

Altri suggerimenti

rather than $_POST['password'] you should write mysql_real_escape_string ($_POST['password']) and like wise for all post variables to avoid sql injection and strip_tags($_POST['password']) to strip all html tags and php tags ..

by this you can strengthen your security..

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top