Go Back   Cloud Computing > Support > PHP Forum
http://www.bodhost.com/forum/Reload this Page PHP Log In form & SQL Injection attacks
 

Reply
 
Thread Tools Display Modes
  #1 (permalink)  
Old 03-23-11, 09:53
BOD Member
  
Join Date: Nov 2010
Posts: 104
Default PHP Log In form & SQL Injection attacks
Hi

There is major concern issue disturbing me when I create a php log in form to my website. There are few SQL Injection methods regularly used by hackers to by pass the admin security. I am curious to know how to secure log in form to prevent hackers?
Reply With Quote
  #2 (permalink)  
Old 03-23-11, 10:00
Rozanne's Avatar
BOD Member
  
Join Date: Nov 2010
Posts: 116
Default
You should use below functionality

Quote:
mysql_real_escape_string();
Quote:
$sql = "select * from table where id = mysql_real_escape_string($id)";
Reply With Quote
  #3 (permalink)  
Old 03-23-11, 10:30
BOD Member
  
Join Date: Nov 2010
Posts: 95
Default
Rather than just passing the function without escaping the dangerous characters. I'd recommend you to code your own functionality. This is not only assist you to get off the user input, but also helps you to find when someone is trying to by pass log in form security. You can set an output message to the user when anyone tries to do SQL injection.
Reply With Quote
  #4 (permalink)  
Old 03-23-11, 10:33
BOD Member
  
Join Date: Nov 2010
Posts: 91
Default
You can also apply these validation rules in all of your code. Generally it know as input validation and any hacking attacks that occurs via forms should be prevented.
Reply With Quote
  #5 (permalink)  
Old 03-23-11, 10:41
BOD Member
  
Join Date: Nov 2010
Posts: 57
Default
Even though, if your form consists of radio buttons, check boxes, drop down lists, then hacker still have many chances to invent back doors, as once they find form inputs in HTML source.
Reply With Quote
  #6 (permalink)  
Old 03-23-11, 10:44
Kristine Habeck's Avatar
BOD Member
  
Join Date: Nov 2010
Posts: 122
Default
According to my experience if hacker fails in sql injection, then hacker will looking at for another options to get in. You need to include a block feature to your log in form so if someone does try sql injection script, add the IP to the database and block them. Perhaps blocking IP is not the full proof solution, but it does prevent few imbeciles hackers.
Reply With Quote
  #7 (permalink)  
Old 03-23-11, 10:47
BOD Member
  
Join Date: Nov 2010
Posts: 81
Default
In my opinion the most reliable method is database framework with prepared statements. All of your variables will pass individually from the sql, so they can be properly escaped and will saves many keystrokes.
Reply With Quote
  #8 (permalink)  
Old 03-25-11, 03:13
BOD Member
  
Join Date: Mar 2011
Posts: 13
Default
Quote:
Originally Posted by Taylor31 View Post
In my opinion the most reliable method is database framework with prepared statements. All of your variables will pass individually from the sql, so they can be properly escaped and will saves many keystrokes.
this is preferable way i was using
Reply With Quote
Reply

« Ruby on Rails? | ~~Substring without losing word meaning~~ »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off
Forum Jump


All times are GMT -6. The time now is 01:08.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2012, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.2.0
Copyright © 1999-2012, BODHost Ltd. All rights reserved.

Web Server Hosting   -   Contact Us   -     -   Members   -   Register   -   Calendar   -   Search   -   FAQ