Reputation: 48
Turn Variables into Strings
I am making a login, and will use this for registration, and am allowing symbols and special characters in emails and passwords. I know that this poses a serious threat for hackers with injections. My question is: How might I turn the inputs from fields (ex. 'email', 'password'), into strings and not allow the server to process them as code and commands.
I truly have very little clue as to where to start, but have tried mysqli_escape_string; but, as you most likely know, it is very thin and deprecated. I don't mind researching a little, I would just greatly appreciate a bit of information to get started!
Upvotes: 1
Views: 90
Answers (2)
Reputation: 12328
If you really do have no idea where to start, that's not a bad thing! However, I recommend not trying to go create you're own login/registration system unless you do know what to do. Especially if you care about security. This is an extremely easy thing to mess up, even for seasoned programmers. I will be the first to admit, I spent a lot of time rolling my own login/auth modules in PHP, and also spent a lot of time inheriting code where other people implemented their own method, most of the time, improperly.
I recommend learning a web framework. My favorite Web frameworks for PHP are Laravel, and Code Igniter, Laravel being my favorite. You'll find that you'll have a learning curve here as well, but you will find a lot more support for implementing user authentication correctly and securely. For exampe: http://laravel.com/docs/4.2/security
With a framework you could also get lots of helper methods to make DB access fun, easy, and safe. Check out the examples here! You can always use raw sql if you want!, but for your day-to-day CRUD applications, there is no need!
If you still absolutely insist on doing it yourself, though I will warn you against it one final time. I recommend using PDO or MySQLi prepared statements (I prefer PDO).
My guess is that the app isn't too far along since you're still considering how to build login/registration, so you're probably not "stuck" using raw php and doing it all yourself. :)
Upvotes: 2
Reputation: 4896
- Use prepared statements when executing mysql queries. (more details here)
- Limit input field length when possible (normally a mysql injection queries are long. This prevents execution of altered longer queries even there is a vulnerability made by a mistake)
- Give only the permissions needed for mysql users. Wherever you only need the user to read, provide only read permissions.
- Encrypt sensitive data like passwords. Use salted password hashing.
Upvotes: 1
Related Questions
- turning concatenate strings into one single string as a variable in php
- Turn PHP MySQL query output into variable
- Turn SQL value to variable
- How To make string / database into a variable
- How to convert string to variable for use in server code
- PHP From string to two variables
- How do I turn a string reference into a variable
- Creating Variable Variables from MySQL Values
- How to convert variables from MYSQL result into PHP variables with same name?
- SQL query result in a string (or variable)