Prev
Next

PHP Login Page Example for Beginners

  • Good code 🙂

  • DampeS8N

    This code is trivially susceptible to SQL Injection attacks. Anyone using this code as it sits can be easily hacked, not just by human attackers, but by scripts crawling the internet looking for vulnerabilities exactly like this.

    $query = “select * from admin where userid = ‘$userid’ and user_password = ‘$user_password'”;

    Consider if I were to submit a $userid of “admin_user_name’ –” which would change the query into:

    select * from admin where userid = ‘admin_user_name’ –‘ and user_password = ‘anything’

    which would log me in as the admin, or any user I wish, without a password.

    Please stop spreading insecure code like this. Do some research and learn some basic security practices before you write about things you don’t yourself understand.

    I don’t mean to sound cruel or unforgiving, but this code is meant for beginners and will get beginners into a LOT of trouble. Feds knocking at their door because their server was used to attack the CIA kind of trouble. Bad trouble.

  • @DampeS8N i appreciate your core trace on this code,
    yes ofcourse it may affect on SQL Injection attacks, this i posted only for the PHP beginners.

    The solution for the SQL Injection attacks in this code just changing

    $user_password = $_POST[‘user_password’];
    $user_password = trim($user_password);

    into

    $userid = mysql_real_escape_string( $_POST[‘userid’] );
    $user_password = mysql_real_escape_string( $_POST[‘user_password’] );