ScotlandPHP 2019


Please answer this simple SPAM challenge: five minus four?
(Example: nine)

The Note You're Voting On

14 years ago
on the php+mysql auth code by tigran at freenet dot am

There are some security weaknesses.


are both insecure, they could leave this code open to SQL injection, you should always remove invalid characters in both, or at least encode them.

Actually storing passwords as MD5 hashes leaves you less work to secure.

Second security risks
The same mysql user has rights to both update and select, and possibly even insert and on your auth database no less.
Again the SQL inject attack may occur with this., and the end user could then change the users username, password, or anything else in relation to this.

Third items is more of a performance issue,
Do you really need to update the database, as updates are slower then selects, and if you do them every time they access the page, you are costing some speed penalty. 

One option, if you want to use sql (I think mysql has it) is memory only databases, and create a table within memory, the stores a unique session identifier for each user, that is logged in, or alternatively if it's a single front end system, you could use db files.

<< Back to user notes page

To Top