Is this piece of code safe - PHP && MySQL

Question

Is this piece of code safe - PHP && MySQL

<?php
class test_class {

        public function __construct() { 

        }
        public function doLogin($username,$password) {

            include("connection.php");

            $query = "SELECT *
                      FROM users
                      WHERE username = '".mysql_escape_string($username)."'
                      AND password = '".mysql_escape_string($password)."'";
            $result = mysql_fetch_array(mysql_query($query));
            if(!$result) {

            return 'no';
            }
            else 
                {
            return 'yes';
                }
            }


}
?>

The above code works, but is a little concerned about how secure it is or not.

Note. I am not using the POST method, so I have to accept it as arguments in a function and I cannot use.

if (isset($_POST['username']) && isset($_POST['password']))
        {
        $username= $_POST['username'];
        $password= $_POST['password'];

0

phpunit

Kevin May 27 '09 at 10:37

a source to share

6 answers

The query itself appears to be safe, but if you were using a DB interface that supports parameter binding, such as PDO or Zend_Db, you wouldn't have to parse every SQL statement so nervously.

Also, the mysql- * functions are pretty outdated; you should look at mysqli- * functions instead.

As a stylistic side of the note, there is no point in an empty constructor and I suggest returning boolean true or false values rather than string values.

Finally, as mentioned elsewhere, storing passwords in cleartext is a bad idea.

+4

Parsingphase May 27 '09 at 10:49

a source to share

uhh .... do you keep a secret password? This is definitely not safe. The password should be hashed and salted using something like sha256. Keeping unencrypted passwords is never a good idea.

+2

Jonathan Fingland May 27 '09 at 10:47

a source to share

No. You don't have to store a raw password in your database. Store hashed (preferably with salt). Plus, prepared statements are a better choice than escaping. See PHP PDO documentation . As an added benefit (beyond security), they can be more efficient.

+1

Matthew flaschen May 27 '09 at 10:46

a source to share

The code itself looks ok, but the main problem I see is that you are passing passwords in plain text.

Is the client-to-server connection secure (eg using SSL) Is the connection between the server and the server secure?

If anyone can sit on the wire and monitor traffic anyway, then you have a security issue.

If it were me, I would definitely have an SSL connection between the client and the server.

I would make sure you store the password hash in the database.

And I would change the code to something like

//Pseduo Code
SELECT * FROM Table where UserName = $username
Get Row Back
if(MD5Hash($password) == DataRow[Password])
   //Valid

+1

Eoin campbell May 27 '09 at 10:50

a source to share

I think everything is fine, however if I am concerned about security I would store the "username" password in a variable and compare it outside the query.

-3

Skuta May 27 '09 at 10:39

a source to share

Oli · Accepted Answer · 2009-05-27T10:49:07+0000

The code may be safe, but the implementation is small. You should never store the authentication password in clear text. You have to salt and hash it.

I could spend an hour explaining why, but you'd better just read this .

Is this piece of code safe - PHP && MySQL

More articles: