Welcome Guest, Not a member yet? Register   Sign In
Login security

I'm have a problem that probably is easy to fix for all of you... Please help me out, I'm not that good at this yet...

When a user log in I want to check that the username or password wasnt an sql-injection attempt or somethin like that. How do I do?

This is an example of my thoughts:

//Clean username
$post_username = $this->input->post('username');
$xss_username = $this->input->xss_clean($post_username);
$clean_username = $this->db->escape($xss_username);

//Clean password
$post_password = $this->input->post('password');
$xss_password = $this->input->xss_clean($post_password);
$clean_password = $this->db->escape($xss_password);
$hashed_password = dohash($clean_password);

//Check if match in database
$this->db->select('Username, Password');
$this->db->where('Username', $clean_username);
$this->db->where('Password', $hashed_password);
$query = $this->db->get('Users');

This doesnt work! Its the 'cleaning' parts that gives me troubles... What am I doing wrong?

Well that looks like an incredibly long winded way of doing things for a start. But apart from that did you load the security library?

But either way - scrap that!

Starting from the beginning:

1. For your login form, use the form_validation library to validate the user's input but also to xss_clean the input at the same time. Add the xss_clean to the validation rules;

$this->form_validation->set_rules('username', 'Username', 'required|trim|min_length[6]|max_length[20]|xss_clean');

2. In your model, when you query the login - use query bindings. These have the advantage in that the values are escaped for you. So now you have run the xss_clean filter and escaped your values. I'm a relative newby too but I'm under the impression this is good enough and safe enough to follow these rules.

function check_login($username, $password) {
    $sha1_password = sha1($password);
    $query_str = "SELECT user_id, username, name, email, create_date, email_confirmed, user_banned
               FROM tbl_user
               WHERE username = ?
               AND password = ?
               AND delete_date is NULL";
    $query = $this->db->query($query_str, array($username, $sha1_password));
    return $query;        

I believe you don't really need to query bind the sha1_password because by performing sha1 on the user input you have also made it safe.

You don't need to worry about escaping the data if you're using the active record
The problem is, escape returns the escaped and single quoted string, and then active record will quote it again (I'm guessing)

Thank you so much for the fast answers! I will try it as soon I can.

Hopefully one day will get to the level that I can start helping others, instead of just asking... Smile

Theme © iAndrew 2016 - Forum software by © MyBB