Do I need to sanitize my login value in php -


following script used in login page

<?php //include config require_once('includes/config.php');  //check if logged in move home page if ($user->is_logged_in()) {     header('location: index.php'); }  //process login form if submitted if (isset($_post['submit'])) {      $username = filter_input(input_post, 'username');     $password = filter_input(input_post, 'password');      if ($user->login($username, $password)) {         $_session['username'] = $username;         header('location: memberpage.php');         exit;     } else {         $error[] = 'wrong username or password or account has not been activated.';     } }//end if submit //define page title $title = 'login';  //include header template require('layout/header.php'); ?>

do need sanitize these inputs @ least mysql_real_escape_string or can use code?

user.php

<?php include('password.php'); class user extends password{      private $_db;      function __construct($db){         parent::__construct();          $this->_db = $db;     }      private function get_user_hash($username){            try {             $stmt = $this->_db->prepare('select password members username = :username , active="yes" ');             $stmt->execute(array('username' => $username));              $row = $stmt->fetch();             return $row['password'];          } catch(pdoexception $e) {             echo '<p class="bg-danger">'.$e->getmessage().'</p>';         }     }      public function login($username,$password){          $hashed = $this->get_user_hash($username);          if($this->password_verify($password,$hashed) == 1){              $_session['loggedin'] = true;             return true;         }        }      public function logout(){         session_destroy();     }      public function is_logged_in(){         if(isset($_session['loggedin']) && $_session['loggedin'] == true){             return true;         }            }  }   ?>

password_verify() code

public function password_verify($password, $hash) {         if (!function_exists('crypt')) {             trigger_error("crypt must loaded password_verify function", e_user_warning);             return false;         }         $ret = crypt($password, $hash);         if (!is_string($ret) || strlen($ret) != strlen($hash) || strlen($ret) <= 13) {             return false;         }          $status = 0;         ($i = 0; $i < strlen($ret); $i++) {             $status |= (ord($ret[$i]) ^ ord($hash[$i]));         }          return $status === 0;     }  }

since new php confused it. can me?

or user class protect login

does work?

i see:

if($this->password_verify($password,$hashed) == 1){

but there no password_verify() method in class. if mean password_verify() function, should change to:

if(password_verify($password,$hashed)){

to answer question, using prepared statements should not escape data, safe sql injection. if needed - if inject value directly query somewhere example - need pdo escaping function , not mysql_* one. using prepared statements consistently better solution cannot forget accident.

the real problem can see echo out catched exception message user. should log instead , present user non-technical error message.

and of course should add error handling database calls: empty result not error , not lead exception, lead problems in code, should check that.


Comments

Post a Comment

Popular posts from this blog

shopping cart - Page redirect not working PHP -

im trying redirect user when click "empty cart". redirect working "add cart" not "empty cart". ideas great. in main .php file set current url seen $current_url = base64_encode("http://$_server[http_host]$_server[request_uri]"); then below cartaction.php file handles actions such "add cart" , "empty cart" <?php session_start(); include_once 'config.php'; //add item in shopping cart if(isset($_post["add"])) { $product_id = $_post["product_id"]; //product id $return_url = base64_decode($_post["return_url"]); //return url $qty = $_post["qty"]; $product = $mysqli->query("select product_name, unit_price, unit_quantity products product_id = '$product_id'"); $obj = $product->fetch_object(); if(!isset($_session['products'])) { $_session['products'] = array(); } if(array_key_exists($product_id...
Read more

php - How to modify a menu to show sub-menus -

i have custom php menu made person, displays categories menu. however, need display subcategories well. tried adding hierarchical parameter didn't work. hoping assistance! here code: <ul> <?php /* categories wp e-commerce products */ $wpec_product_categories = get_terms( 'wpsc_product_category', 'hide_empty=0&parent=0&exclude=298'); $myarray = array(); foreach($wpec_product_categories $wpec_categories){ $myarray[$wpec_categories->term_id]['name'] = $wpec_categories->name; $myarray[$wpec_categories->term_id]['slug'] = $wpec_categories->slug; $myarray[$wpec_categories->term_id]['term_id'] = $wpec_categories->term_id; } foreach($myarray $wpec_categories1){ $wpec_term_name = $wpec_categories1['name']; $wpec_term_slug = $wpec_categories1['slug']; $wpec_term_id = $wpec_categories1['term_id']; echo '<li> <a href="'.get_page_link(19)....
Read more

python - Installing PyDev in eclipse is failed -

unable read repository @ http://pydev.sf.net/updates/content.xml. sun.security.validator.validatorexception: pkix path building failed: sun.security.provider.certpath.suncertpathbuilderexception: unable find valid certification path requested target i installing pydev in eclipse using python, doesn't install successfully. gives above error. happened? how solve error? i had error when trying install on laptop behind corporate firewall. couldn't tell setup of firewall, not sure of root cause. i got passed error installing pydev eclipse when out behind firewall. another way got around have eclipse on non-firewalled machine, install pydev eclipse, , copy whole eclipse directory non-firewalled machine firewalled machine. there better way, , way fix properly, didn't have time work out firewall doing. this on windows 7 machine (yeah know) not work *nix versions installed through package manager yum or apt.
Read more