2

So after 6 years learning to code PHP I finally finished writing my website (Not Online Yet) and I read a post about MYSQL_* functions being depreciated and having security problems so I have decided to learn how to re-write it using the MYSQLi_* functions.

Although I have re-written the code using mysqli_ functions and is working as it should (Login & Sessions) I am unsure if this is secure against those nasty SQL injection scripts. (I think binding the value of a $_POST into the prepared statement is enough to stop SQL injecton?)

I would really appreciate any advise given...

Kind Regards.

include/mysqli_connection.php (Connection Script) 

<?php

// Connection Details
$MySQLi_Server     = 'localhost';
$MySQLi_Username   = '#####';
$MySQLi_Password   = '#####';
$MySQLi_Database   = '#####';

// Connect To Server
$MySQLi_Connection = new PDO("mysql:host=$MySQLi_Server;dbname=$MySQLi_Database", $MySQLi_Username, $MySQLi_Password);

// Tables
$MySQLi_Users_Table = 'users';

?>

include/global.php (Included On Every User Restricted Page)

<?php

// Session (Start)
session_start();

// Check (Logged In)
if(!isset($_SESSION['authenticated'])){ 

    // Session (Destroy)
    session_destroy();

    // Redirect (Failed)
    die(header('Location: ../login.php'));

}

// Session (Regenerate ID)
session_regenerate_id(TRUE);

// Include MySQLi Connection
include_once('mysqli_connection.php');

?>

login_process.php (Login Form Submits To This Script)

<?php

// Session (Start)
session_start();

// Session (Destroy)
session_destroy();

// Check Form Elements (Exists)
if((!isset($_POST['username'])) || !isset($_POST['password'])){

    die('Ooops, Please Enter Your Username & Password!');

}

// Form Elements (Variables)
$Username = trim($_POST['username']);
$Password = trim(md5($_POST['password']));

// Include MySQLi Connection
include_once('include/mysqli_connection.php');

// Login (Query)
$LoginUser = $MySQLi_Connection->prepare("SELECT * FROM $MySQLi_Users_Table WHERE username=:username AND password=:password");
$LoginUser->bindParam(':username', $Username);
$LoginUser->bindParam(':password', $Password);
$LoginUser->execute();
$LoginUserResult = $LoginUser->fetch(PDO::FETCH_NUM);

if($LoginUserResult < 1){

    // Redirect (Failed)
    die(header('Location: index.php'));

} else {

    // Session (Start)
    session_start();

    // Session (Data)
    $_SESSION['authenticated'] = 'Y';
    $_SESSION['username'] = $Username;

    // Redirect (Successful)
    die(header('Location: members_area/dashboard.php'));

}

?>

members_area/dashboard.php

<?php

// Include Global Settings
include('../include/global.php');

// Display Message (Logged In)
echo 'Username : ('.$_SESSION['username'].')';

?>
Christopher Wilson
  • 29
  • 2
  • 1
    Almost. The use of md5 isn't considered safe to use as a hashing function anymore. Use `password_hash()`. Other than that, you're good to go. – Funk Forty Niner Dec 06 '15 at 03:17
  • 1
    You have the answer to your question here [Are PDO prepared statements sufficient to prevent SQL injection?](http://stackoverflow.com/questions/134099/are-pdo-prepared-statements-sufficient-to-prevent-sql-injection) – ManuRGDev Dec 06 '15 at 03:18
  • 1
    Another thing, you're using `session_start();` twice. You'll get a notice about this about the session already being started; that's if your system's setup to catch/display notices/warnings/errors. – Funk Forty Niner Dec 06 '15 at 03:19
  • 1
    @Fred-ii- Thank You soooo much for your advice, I will certainly been changing MD5 to password_hash(). Will check how to use that function in the morning. Oh yeah, I see what your saying about the duplicate sessions (shall we say dumb moment lol).. I will be looking for somebody to help me intergrate PayPal's Parallel Payments with a shopping cart so if you think your able to help please let me know and I will contact for a price once I finish re-writting all of my website using mysqli_*. I cant thank you enough. Cheers. – Christopher Wilson Dec 06 '15 at 03:34
  • 1
    You're welcome Christopher, *cheers* and welcome back to *the coder's world* ;-) – Funk Forty Niner Dec 06 '15 at 03:36

1 Answers1

-1

Using MySQLi extension:

$db_user='user';
$db_pass='pass';
$db_server='localhost';
$db_database='database';

$mysqli = new mysqli($db_server, $db_user, $db_pass, $db_database);
if ($mysqli->connect_error){
  die('Connect Error (' . $mysqli->connect_errno . ') ' . $mysqli->connect_error);
}

    // Login (Query)
$stmt = $mysqli->prepare("SELECT count(*) FROM $MySQLi_Users_Table WHERE username=? AND password=?");
$stmt->bindParam('ss', $Username, $Password);
$stmt->bindResult($count);
$stmt->execute();
$stmt->fetch();
$stmt->close();

if ($count > 0 ) {... user exists - can login him...
miralong
  • 789
  • 8
  • 11