-3

How to write a secure username & password verification in PHP ?

I use MD5 for password ($pass) and string for username ($name) and write this code in PHP for user account verification.

$post_vars = $_POST;
if (isset($post_vars['name']))
      {
        $name = $post_vars['name'];
        $pass = md5($post_vars['pass']);
        $dbConn = db_open();
        $sql = "select `password` from `user_table` where `user_name` = '$name' limit 1;";
        echo $sql;
        $sth = $dbConn->prepare($sql);
        $sth->execute();
        $row = $sth->fetch();
        if ($row !== false)
        {
          $verify = $row['password'];
          if ($pass == $verify)
          {
            $_SESSION['isLoggedIn'] = true;
            header('Location: ' . _DEBUG_URL_);
          }
          else $iframeURL = _LIB_URL_ . 'accessdenied.htm';
        }
        else echo 'No results found!';
    }

Is this query hackable by method of SQL Injection, and how it can be hacked ? I use PDO for MySQL. 

"select `password` from `user_table` where `user_name` = '$name' limit 1;"
Korr Iamnot
  • 309
  • 5
  • 15
  • Also use `password hashing` instead of `md5`. You are not using `prepare` in correct way too – Alive to die - Anant Apr 05 '17 at 06:46
  • As Alive to Die said, use password hashing! You can google "md5" crack and easily crack md5 hashes. – bedtime21 Apr 05 '17 at 06:47
  • I want to know that is my query is insecure or not and how ? – Korr Iamnot Apr 05 '17 at 06:49
  • the first base in security : don't trust a user, you must check and secure every inputs,in your example you have SQL Injection $name not secure – Mo Shal Apr 05 '17 at 06:49
  • @mohade please give me some example. – Korr Iamnot Apr 05 '17 at 06:50
  • Are there any test set for SQL Injection ? – Korr Iamnot Apr 05 '17 at 06:53
  • if you want to secure your inputs you have two ways :1) use mysqli_real_escape_string() for string and intval() for integer 2) prepare your sql , in your example you use prepare in wrong way . – Mo Shal Apr 05 '17 at 06:53
  • Check correct coding way of `PDO` or `mysqli` `prepared statement` here:-http://php.net/manual/en/mysqli.prepare.php and http://php.net/manual/en/pdo.prepare.php .if you use in correct way no need to do any extra effort. It will take care of all security measurements – Alive to die - Anant Apr 05 '17 at 06:57
  • @mohade `mysqli_real_escape_string()` will not going to secure anything.It used for different purpose. As well as `intval()` – Alive to die - Anant Apr 05 '17 at 06:59
  • @AlivetoDie if you have an integer value why to allow user to post anything in database , and yes prepare is the best way to prevent sql injection – Mo Shal Apr 05 '17 at 07:04
  • check this http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?noredirect=1&lq=1 its have every thing you need – Mo Shal Apr 05 '17 at 07:08
  • Use Salted Password Hashing, MD5 is easily crackable. Or Just use PDO with prepared statements that is a nice way to get secured by SQL injections. You can take a look here to get started with PDO https://www.cloudways.com/blog/introduction-php-data-objects/ – Saquib Lari Apr 05 '17 at 07:27

1 Answers1

-2

Mysql injection happens in the form fields, people just enter a query inside of your login form and they will just press login. You can use the PDO::prepare statement found here

I do also recommend making query's with sprintf() like this:

$sql = sprintf("select `password` from `user_table` where `user_name` = '%s' limit 1", $name);
KittyCat
  • 415
  • 4
  • 9
  • 26