Welcome Guest, Not a member yet? Register   Sign In
Login security

Well that looks like an incredibly long winded way of doing things for a start. But apart from that did you load the security library?

But either way - scrap that!

Starting from the beginning:

1. For your login form, use the form_validation library to validate the user's input but also to xss_clean the input at the same time. Add the xss_clean to the validation rules;

$this->form_validation->set_rules('username', 'Username', 'required|trim|min_length[6]|max_length[20]|xss_clean');

2. In your model, when you query the login - use query bindings. These have the advantage in that the values are escaped for you. So now you have run the xss_clean filter and escaped your values. I'm a relative newby too but I'm under the impression this is good enough and safe enough to follow these rules.

function check_login($username, $password) {
    $sha1_password = sha1($password);
    $query_str = "SELECT user_id, username, name, email, create_date, email_confirmed, user_banned
               FROM tbl_user
               WHERE username = ?
               AND password = ?
               AND delete_date is NULL";
    $query = $this->db->query($query_str, array($username, $sha1_password));
    return $query;        

I believe you don't really need to query bind the sha1_password because by performing sha1 on the user input you have also made it safe.

Messages In This Thread
Login security - by El Forum - 09-08-2009, 04:37 AM
Login security - by El Forum - 09-08-2009, 04:48 AM
Login security - by El Forum - 09-08-2009, 04:49 AM
Login security - by El Forum - 09-08-2009, 05:19 AM

Theme © iAndrew 2016 - Forum software by © MyBB