I have just started PHP and mySQL and need to know if this is "safe". The login information is passed into the following PHP file through AJAX (jQuery).
jQuery AJAX
$("#login_form").submit(function(){
$.post("login.php",{user:$('#username').val(),pass:$('#password').val()} ,function(data)
PHP
ob_start();
mysql_connect("-", "-", "-") or die("ERROR. Could not connect to Database.");
mysql_select_db("-")or die("ERROR. Could not select Database.");
//Get Username and Password, md5 the password then protect from injection.
$pass = md5($pass);
$user = stripslashes($user);
$pass = stripslashes($pass);
$user = mysql_real_escape_string($user);
$pass = mysql_real_escape_string($pass);
//See if the Username exists.
$user_result=mysql_query("SELECT * FROM users WHERE username='$user'");
$user_count=mysql_num_rows($user_result);
if($user_count==1){
if($pass_length==0){ echo "userVALID"; }
else{
$pass_result=mysql_query("SELECT * FROM users WHERE username='$user' and password='$pass'");
$pass_count=mysql_num_rows($pass_result);
if($pass_count==1){
session_register("user");
session_register("pass");
echo "passVALID";
}
else { echo "passERROR"; }
}
}
else { echo "userERROR"; }
ob_end_flush();
I know this may not be the best way to do things but, it is the way I know! I just want to know if it has any major security flaws. It is more of a concept for me and therefore I am not incorporating SSL.
Ajax is not inherently secure or insecure. It does however open up 'opportunities' for insecure code. A mistake I commonly see is as follows: The user is authenticated in code-behind when the page is loaded.
In this case, you can use AJAX to create a user-friendly login page. With AJAX you can directly check the entered username and password are correct or not in MySQL database without reloading the whole page. If the user is registered then redirect the user to a home page otherwise display an error.
AJAX allows web pages to be updated asynchronously by exchanging small amounts of data with the server behind the scenes. This means that it is possible to update parts of a web page, without reloading the whole page. Classic web pages, (which do not use AJAX) must reload the entire page if the content should change.
It is a little misleading to say AJAX in PHP since the two are not necessarily interdependent. However, AJAX and PHP are commonly used to complement one another in web development.
You should make this change just in case people have a backslash in their password:
if(get_magic_quotes_gpc()){
$user = stripslashes($user);
$pass = stripslashes($pass);
}
$user = mysql_real_escape_string($user);
$pass = sha256($salt.$pass);
First and foremost md5 is very bad. Also md5()
and mysql_real_escape_string()
is redundant. Collisions have been generated in the wild. sha1()
although weakened is still much more secure and no collisions have been generated (yet). The best choice would be sha256 in php, or using the mhash library.
$pass = md5($pass);
You also need to salt the password.
It suffers from
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With