Scribd
Upload
395 views6 pages

PHP Anti-SQL Injection Guide

This document provides instructions for setting up a PHP login form with anti-SQL injection protection. It includes creating a database table to store user credentials, scripts for the login form, validation of user input, session handling, and login timeout functionality to prevent unauthorized access. The purpose is to allow users to log in securely while preventing SQL injection attacks.

Uploaded by

Rezy Alt
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
395 views6 pages

PHP Anti-SQL Injection Guide

This document provides instructions for setting up a PHP login form with anti-SQL injection protection. It includes creating a database table to store user credentials, scripts for the login form, validation of user input, session handling, and login timeout functionality to prevent unauthorized access. The purpose is to allow users to log in securely while preventing SQL injection attacks.

Uploaded by

Rezy Alt
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd

HACK ME -- PHP Login Form with ANTI SQL INJECTION Script.

>> DATABASE: CREATE TABLE IF NOT EXISTS `users` ( `username` varchar(50) COLLATE latin1_general_ci NOT NULL, `password` varchar(50) COLLATE latin1_general_ci NOT NULL, `full_name` varchar(100) COLLATE latin1_general_ci NOT NULL, `email` varchar(100) COLLATE latin1_general_ci NOT NULL, `phone` varchar(20) COLLATE latin1_general_ci NOT NULL, `level` varchar(20) COLLATE latin1_general_ci NOT NULL DEFAULT 'user', `block` enum('Y','N') COLLATE latin1_general_ci NOT NULL DEFAULT 'N', `id_session` varchar(100) COLLATE latin1_general_ci NOT NULL, PRIMARY KEY (`username`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_general_ci; >> SCRIPT: 1. public_html/login_form.php <form name="login" action="config/login_check.php" method="post"> <table> <tr><td>Username</td><td> : <input type="text" name="username"></td></tr> <tr><td>Password</td><td> : <input type="password" name="password"></td></tr> <tr><td colspan="2"><input type="submit" value="Login"></td></tr> </table> </form>

2. public_html/config/login_check.php

<?php include "[Link]"; //connection file function anti_injection($data){ $filter = mysql_real_escape_string(stripslashes(strip_tags(htmlspecialchars($data,ENT_QUOTES)))); return $filter; } $username = anti_injection($_POST['username']); $pass = anti_injection(md5($_POST['password']));

//make sure the username and password are character or number. if (!ctype_alnum($username) OR !ctype_alnum($pass)){ echo "Bingo!! Now the login form is secure. No more SQL Injection."; } else{ $login=mysql_query("select * from users where username='$username' and password='$pass' and block='N'"); $found=mysql_num_rows($login); $r=mysql_fetch_array($login); //If found the username and password if ($found > 0){ session_start(); include "[Link]"; $_SESSION[username] $_SESSION[fullname] $_SESSION[passuser] = $r[username]; = $r[full_name]; = $r[password];

$_SESSION[leveluser] // session timeout $_SESSION[login] = 1; timer(); $old_sid = session_id(); session_regenerate_id(); $new_sid = session_id();

= $r[level];

mysql_query("update users set id_session='$new_sid' where username='$username'"); header('location:../clientarea/[Link]'); //page redirection, after success login } else{ echo "<center>LOGIN FAILED!!<br/> Wrong username or password.<br/> Or your account being blocked.<br/>"; echo "<a href=../[Link]><b>Please repeat again.</b></a></center>"; } } ?> 3. public_html/config/[Link] <?php session_start(); function timer(){ $time=10000; //set the timer $_SESSION[timeout]=time()+$time; } function login_check(){

$timeout=$_SESSION[timeout]; if(time()<$timeout){ timer(); return true; }else{ unset($_SESSION[timeout]); return false; } } ?>

4. public_html/config/[Link] <?php session_start(); session_destroy(); echo "<center>You have successfully exit the system.<b>[LOGOUT]</b></center>"; ?> 5. Add this script before "<html>" tag to the public_html/clientarea/[Link] (all pages) <?php session_start(); error_reporting(0); include "../config/[Link]"; if($_SESSION[login]==1){ if(!login_check()){ $_SESSION[login] = 0; }

} if($_SESSION[login]==0){ header('location:../config/[Link]'); } else{ if (empty($_SESSION['username']) AND empty($_SESSION['passuser']) AND $_SESSION['login']==0){ <center>To access this area, you have to login first!<br/>"; echo "<a href=../[Link]><b>LOGIN</b></a></center>"; } else{ ?> <html> 6. And add this closing script after "</html>" tag to the public_html/clientarea/[Link] (all pages) </html> <?php } } ?> <!--- FINISH --> If any mistakes, please remind me. ;-) I think need some explanatiion here. Mmm.. maybe next.. if I have a time, I will explain.. Just try it.. to test your "HACKING" skill, okay.. ;-p

Thanks.

You might also like