How to create secure login system that cover SQL Injection , XSS , Session Hijacking and other Attacks in PHP PDO

Question

i want to create a login system in PHP PDO that covers sql injection , xss , session hijacking and other attacks .

So, create it. What is stopping you? – Funk Forty Niner Dec 24 '15 at 16:33 — Funk Forty Niner, Dec 24 '15 at 16:33

score 1 · Answer 1 · edited May 23 '17 at 10:27

For Sql Injection you should use PDO prepared statement. There is lots of example available on net
For XSS attack you should store all data with htmlenities or htmlspecialchars with form htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
Prevent session Hijacking you have to manage below changes.
1. Use https
2. Regenerate sessionid after login regenerate_session_id()
3. store session_id in cookie not with url string
4. set the cookie with the HttpOnly and Secure attributes to forbid access via JavaScript setcookie( 'UserName', 'Bob', 0, '/forums', 'www.example.com', isset($_SERVER["HTTPS"]), true);

you can find more information with below link.

score 0 · Answer 2 · answered Dec 24 '15 at 12:16

Well, this one makes that, except it uses mysqli driver. But don't worry , it uses prepared statements, so you are secured against SQL injection, and other related attacks. It is not 100% secure, but it is solid way to create login system. I've used it before. You can edit on your own way.

http://www.pc-hope.com/php-mysql-secure-login-system/

How to create secure login system that cover SQL Injection , XSS , Session Hijacking and other Attacks in PHP PDO

2 Answers2