I’m wondering how I can make this code safer, I’m using it as login.php:
if(isset($_POST["username"]) and isset($_POST["password"])) {
if($_POST["username"] == $adminusr && $_POST["password"] == $adminpass){
I want to make it a little more safe to prevent sql-injections and such. Do you have any ideas ? I’d like to learn more about making safer sites.
Thank you dudes and dudettes
Edit:
Sorry I didn’t post all the code needed, but here is the complete code:
<?php
session_start();
include_once("../include/config.php");
if(isset($_POST["username"]) and isset($_POST["password"])) {
if($_POST["username"] == $adminusr && $_POST["password"] == $adminpass){
$_SESSION['admin_user'] = $adminusr;
$_SESSION['admin_password'] = $adminpass;
}
else {
echo "Wrong Username or Password";
}
}else if(isset($_GET['act']) && $_GET['act']=='out') {
unset($_SESSION['admin_user']);
unset($_SESSION['admin_password']);
session_destroy ();
}
if($_SESSION['admin_user'] == $adminusr && $_SESSION['admin_password'] == $adminpass){
$_SESSION['testdd'] = 'test';
header("location:index.php");
exit;
}
?>
Thank you once again 🙂
If you are using
$_POST['username']in a query the following code will keep you save from SQL-injection.Note that you need to use
mysql_real_escape_string()withmysql_queryand
mysqli_real_escape_string()withmysqli_query.Even better is to use PDO with php5, see: http://www.php.net/manual/en/book.pdo.php
Handling passwords in MySQL
Note that is strongly recommended not to store passwords in the clear in your database.
Always store a hash (preferably using SHA2) in your database and use a salt.
See: https://stackoverflow.com/search?q=hash+salt+mysql
For more info on this.