0

Uhh... well I'm not really expert into SQL Injections Prevention so I had an Idea of putting the Admin accounts in a PHP file... for example

<?php

$_ADMIN[1244]["username"] = "root";
$_ADMIN[1244]["password"] = "345dfgAFKgfmsdfS";



?>

I think that in doing this it will prevent Hacking of Admin accounts... what do you think??

6
Contributors
9
Replies
10
Views
6 Years
Discussion Span
Last Post by diafol
0

A kind of....but still user can enter your profile using SQL ejections,,,,,

Perhaps. but that's just a fail-safe option...

0

You're not preventing the SQL injection. You're probably encrypting the data.

Like what've said, it's just a Fail safe option where in if "ever" the security failed to protect it from SQLInjections, this will make sure that using an SQL Injection cannot retrieve the Admin accounts. just saying...

0

Like what've said, it's just a Fail safe option where in if "ever" the security failed to protect it from SQLInjections, this will make sure that using an SQL Injection cannot retrieve the Admin accounts. just saying...

Just a trick, Add LIMIT=1 to your queries that retrieves one record. That will limit the extend of data retrieved in case of compromise to 1 row. That being said, your admin HAVE to be NOT user 1

0

as evstevemd said,use some trick like addslashes to escape '

//example
//when submit or click login
$uname = $_POST['username'];
$pwd = $_POST['password'];
$query = mysql_query("select * from profile where username='".addslahes($uname)."' and password='".addslahses($pwd)."' ");

or you can use $_SERVER or visit this link for more info
http://php.net/manual/en/features.http-auth.php

0

as evstevemd said,use some trick like addslashes to escape '

//example
//when submit or click login
$uname = $_POST['username'];
$pwd = $_POST['password'];
$query = mysql_query("select * from profile where username='".addslahes($uname)."' and password='".addslahses($pwd)."' ");

Don't use addslashes, it is not safe! The mores safe way, I suggest is using prepared statement available in PDO and mysqli. I recommend the latter (as do PHP sec team).
see:
http://stackoverflow.com/questions/860954/examples-of-sql-injections-through-addslashes
http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
http://cow.neondragon.net/index.php/1302-Addslashes-Allows-Sql-Injection-Attacks
http://hakipedia.com/index.php/SQL_Injection
http://www.php.net/manual/en/function.addslashes.php#98488
et al

0

I'm confused as to what this admin stuff is. Is the username/pw for MySQL access or is it for access to your website (login)?

If for the latter, keep all your data in a DB - user rights levels can change. Keeping stuff in a file is a pain.

If the former - it forms part of the connection string for MySQL, it's valid to store this in a file (obviously), but these are usually stored above the document root, well out of range of a snooper. It should be in php format as opposed to plain text.

AND, you should use mysql_real_escape_string() to escape quotes in inputs. This won't render all data safe. For example, you could have numeric fields (force type with intval etc, check type with is_int, is_float etc), so all data should be checked prior to using in an sql statement.

Edited by diafol: n/a

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.