Tuesday, 7 July 2015

How to prevent sql injection and make a secure login page in php

Secure Login Page in PHP
There were quite a few people who made instructional exercises to make a PHP Login Page Secure. Be that as it may, they were all powerless against MySQL Injection. In this post I'm going to exhibit a login framework which is easy to code and strong like anything against SQL Injections. 

As i said it is exceptionally secure. There are mysqli and PDO in PHP to get away from these infusions. We are going to utilize PDO ( PHP Data Object ) in our example.

We have to make following pages to perform our exercise.

1. login.php    2.home.php    3.logout.php

Before making these above pages let us make our table in database.


   
    Create Table : users

CREATE TABLE IF NOT EXISTS `users` ( `id` int(11) NOT NULL AUTO_INCREMENT, `username` text NOT NULL, `password` text NOT NULL, `psalt` text NOT NULL, PRIMARY KEY (`id`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;
         Explanation of Code
  1. Column username is used to store the email address of the user. This email address is used as the username.
  2. Column password is used to store user's password which is encrypted using SHA256 a very high end encryption.
  3. Column psalt having a random text to verify if password is true.
 
Lets add a new user into the users table

INSERT INTO `users` (
 `id`,
 `username`,
 `password`,
 `psalt`)
 

VALUES  
 (NULL,
 'officialrahultyagi@gmail.com',
 'c0f2297721adf93370d55c3d26c9298d35bdba75d0366b0d9ff0622072856a5d',
 'r*$0%/?s87*8}r/j%o2'
 );


Login.php

form method="POST" action="login.php" style="border:1px solid black;display:table;margin:0px auto;padding-left:10px;padding-bottom:5px;">
 <table width="300" cellpadding="4" cellspacing="1">
  <tr><td><td colspan="3"><strong>User Login</strong></td></tr>
  <tr><td width="78">E-Mail</td><td width="6">:</td><td width="294"><input size="25" name="mail" type="text"></td></tr>
  <tr><td>Password</td><td>:</td><td><input name="pass" size="25" type="password"></td></tr>
  <tr><td></td><td></td><td><input type="submit" name="Submit" value="Login"></td></tr>
 </table>
 Secure Login by <a target="_blank" href='http://officialrahultyagi.blogspot.in'>Rahul Tyagi</a>
</form> 

Output:


User Login
E-Mail:
Password:
Secure Login by Rahul Tyagi

Lets add PHP code to check username and password is correct or not. We smust add PHP code before </form> which we just included in login.php.




Validation

<?php
session_start();
if($_SESSION['user']!=''){header("Location:home.php");}
$dbh=new PDO('mysql:dbname=db;host=127.0.0.1', 'username', 'password');/*Change The DB username and password wit respect to your database*/
$email=$_POST['mail'];
$password=$_POST['pass'];
if(isset($_POST) && $email!='' && $password!=''){
 $sql=$dbh->prepare("SELECT id,password,psalt FROM users WHERE username=?");
 $sql->execute(array($email));
 while($r=$sql->fetch()){
  $p=$r['password'];
  $p_salt=$r['psalt'];
  $id=$r['id'];
 }
 $site_salt="rahulblogsalt";/*Common Salt used for storing password */
 $salted_hash = hash('sha256',$password.$site_salt.$p_salt);
 if($p==$salted_hash){
  $_SESSION['user']=$id;
  header("Location:home.php");
 }else{
  echo "<h2>Please Check Your Username/Password.</h2>";
 }
}
?>

home.php

<html><head></head>
<body>
<php?
session_start();
if($_SESSION['user']==''){
 header("Location:login.php");
}else{
 $dbh=new PDO('mysql:dbname=db;host=127.0.0.1', 'root', 'backstreetboys');
 $sql=$dbh->prepare("SELECT * FROM users WHERE id=?");
 $sql->execute(array($_SESSION['user']));
 while($r=$sql->fetch()){
  echo "<center><h2>Hello, ".$r['username']."</h2></center>";
 }
}
?>
</body>
</html>


logout.php

<?php
session_start();
session_destroy();
?>



  • Stumble This
  • Fav This With Technorati
  • Add To Del.icio.us
  • Digg This
  • Add To Facebook
  • Add To Yahoo

1 comments:

Aniket Singh said...

thanks https://www.twekr.com

Post a Comment