1

apparently the classic sql injection: (' or '1'='1' -- ') does not work on this login, but is it safe enough, and what do you suggest if it's not.

index.php:

<?php

include_once 'includes/connection.php';

if (isset($_POST['login'])){
$username = $_POST['usernameInput'];
$password = md5($_POST['passwordInput']);
$query = $pdo->prepare("SELECT * FROM users WHERE u_n = ? AND u_p = ? ");
$query->bindValue(1, $username);
$query->bindValue(2, $password);
$query->execute();
$rows = $query->rowCount();

if ($rows == 1){
    echo "welcome back";
} else {
    echo "incorrect username or passwrod";
}
}

?>

<html>
<center>
    Login :
    <form action="index.php" method="post">
        <input type="text" name="usernameInput" placeholder="Username" autocomplete="off" />
        <input type="password" name="passwordInput" placeholder="Password" autocomplete="off" />
        <input type="submit" name="login" value="Login" />
    </form>
</center>
</html>

connection.php:

<?php
try {
$pdo = new PDO('mysql:host=localhost;dbname=justLove', 'root', 'root');
} catch (PDOException $e) {
exit('cannot connect to database.');
}   
?>

Waiting for your answer :)

CodeLover
  • 155
  • 1
  • 16
  • 2
    Your PDO connection uses a root account. That is not a good practice for security. You should make a MySQL user with only the specific permissions needed for your application. – Jeremy Harris Apr 09 '13 at 19:26
  • 2
    Don't hash your password with MD5. Use Bcrypt or PBKDF2, as they make bruteforce attacks impractical. – Blender Apr 09 '13 at 19:26
  • Don't use a root account for database access. Disable emulated prepared statements. Set the encoding of the database connection. Don't use md5 to hash passwords. – PeeHaa Apr 09 '13 at 19:27
  • 1
    [Prevent SQL Injection](http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php). [Hash passwords](https://github.com/ircmaxell/password_compat) – PeeHaa Apr 09 '13 at 19:28
  • You are binding parameters, and your SQL statement is not built with variables, so you are good as far as SQL injection. – Andy Lester Apr 09 '13 at 21:51

0 Answers0