"Om Swastiastu"
How to prevent SQL Injection:
There are some tips here to prevent a site being hacked by SQL Injection technique:
- Limit the maximum character length of a text input.
- Filter the input entered by user, especially for the use of single quotes mark and HTML tags or Javascript.
- Hide the error message that comes out of SQL Server or PHP syntax by adding a PHP script at the beginning of the file.
- Avoid the use of $ _REQUEST [] syntax and $ _GET [] syntax.
- Use timeout on the session or cookies.
<?php //anti inject of single quotes mark mysql_escape_string($data); //add a slash mark on the beginning of a string addslashes($data); //delete the html tags strip_tags($data); //hide the error message from SQL or PHP error_reporting(0); ?>
The syntax above are some ways you can use to prevent the SQL Injection. Okay, before we move how to make an Anti SQL Injection syntax using PHP, we should create the database first. This is the SQL statement to create the database. You can modify it on your own needs.
CREATE TABLE IF NOT EXISTS `userlogin` ( `username` varchar(50) COLLATE latin1_general_ci NOT NULL, `password` varchar(50) COLLATE latin1_general_ci NOT NULL, PRIMARY KEY (`username`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_general_ci;Copy the SQL statement above and import it on your database. Then now I'm going to create the login form using HTML.
<form name="login" action="process/login.php" method="post"> <table> <tr><td>Username</td><td> : <input type="text" name="username"></td></tr> <tr><td>Password</td><td> : <input type="password" name="password"></td></tr> <tr><td> </td><input type="submit" value="Login"></td></tr> </table> </form>When the submit button clicked, it will executed the login.php file on a folder called "process". Then I use the post method to send the parameter. Now we move to the PHP syntax. Here I will divide this into four parts. First we must have the connect.php file in order to connect the file to the database on SQL Server.
<?php
mysql_connect("localhost", "dbuser", "");
mysql_select_db("dbname");
?>
Then I'm going to create the login process. This is the important part because we are going to use the Anti SQL Injection syntax using PHP. This will make your site become secure. This is the login.php file.
<?php
include "process/connect.php";
function anti_sqlinjection($data){
$filter = mysql_real_escape_string(stripslashes(strip_tags(htmlspecialchars($data,ENT_QUOTES))));
return $filter;
}
$username = anti_sqlinjection($_POST['username']);
$pass = anti_sqlinjection($_POST['password']);
//make sure the username and password are character or number
//here I'm not letting the #^&* etc mark passed
if(!ctype_alnum($username) || !ctype_alnum($pass)){
echo = "Please use character and number only";
}
else{
$login=mysql_query("select * from userlogin where username='$username' and password='$pass'");
$result=mysql_num_rows($login);
$row=mysql_fetch_array($login);
//echo "select * from userlogin where username='$username' and password='$pass'";
//If the username and password is founded
if ($result > 0){
session_start();
include "timeout.php";
$_SESSION['user_session'] = $
row ['username'];
$_SESSION['pass_session'] = $
row ['password'];
// session timeout
$_SESSION['login'] = 1;
timer();
echo "Congratulation, you login successfully";
}
else{
echo "Login failed, please try again";
}
}
?>
On the syntax above I add the htmlspecialchars(). This is a function from PHP to show the html tags, then after it is showed I will erased the html tags using strip_tags() function. After that, now we move to the third part of the PHP coding. We'll make the timeout syntax, it is used to limit the user login time. So when a user don't do anything for a range of time, it will logout automatically. This is the timeout.php file.<?php
session_start();
function timer(){
$time=10000; //set the timer to login for 10 minutes
$_SESSION['timeout']=time()+$time;
}
function login_check(){
$timeout=$_SESSION['timeout'];
if(time()<$timeout){
timer();
return true;
}else{
unset($_SESSION['timeout']);
return false;
}
}
?>
When the user still active on a system, this function will automatically increase the time to 10 minutes from the last time user load the page. But when a user is not active more than ten minutes, it will logout automatically. Okay this is the logout.php file.<?php session_start(); session_destroy(); echo "You have been logout successfully"; ?>
To destroy all sessions you made on login process, you use the session_destroy() function. With no session you can access the site you made. Now once and for all, add this code in every of your file.
<?php
session_start();
error_reporting(0);
include "config/timeout.php";
if($_SESSION['login']==1){
if(!login_check()){
$_SESSION['login'] = 0;
}
}
if($_SESSION['login']==0){
header('location: process/logout.php');
//user is not active for 10 minutes
}
else{
if(empty($_SESSION['user_session']) && empty($_SESSION['pass_session']) && $_SESSION['login']==0){
header("location: login.php");
//no session, bring user to login page
}else{
//session is exist, show the html code
//your HTML code below from here
?>
<html>
<head>
</head>
<body>
<!-- Your HTML code here -->
</body>
</html>
<?php
}
}
?>
Okay, that is the PHP syntax to create a secure login form using PHP. I hope this help you so much."Om Santhi, Santhi, Santhi, Om"
bro rada cape mungkin nulis syntax anti sql inject sepanjang itu,.
ganti ini aja..
"preg_replace('#[^A-Za-z0-9]#i', '', $_POST["username"]);"
#koreksi saya jika salah..
itu mewakili salah satu syntax apa semuanya bro?