Select Language


IT Programmer. Powered by Blogger.

08 February 2012

Create A Secure Login System With Anti SQL Injection Using PHP

"Om Swastiastu"

Login system is an absolute thing that a system must have if the owner wants the system data confidentiality is assured. But of course even when there are login form on a system, there is still a black hacker tried to hack the system that has been created by someone. One way to hack a system is of course using a SQL Injection technique. SQL Injection is a technique of exploiting web applications that use a database for data storage. SQL Injection occurs when a user entered data that is not filtered for escape characters and then passed into a SQL statement. This raises the potential of data manipulation from the statements made ​​on the database by the hacker.
How to prevent SQL Injection:
There are some tips here to prevent a site being hacked by SQL Injection technique:

  1. Limit the maximum character length of a text input.
  2. Filter the input entered by user, especially for the use of single quotes mark and HTML tags or Javascript.
  3. Hide the error message that comes out of SQL Server or PHP syntax by adding a PHP script at the beginning of the file.
  4. Avoid the use of $ _REQUEST [] syntax and $ _GET [] syntax.
  5. Use timeout on the session or cookies.

//anti inject of single quotes mark
//add a slash mark on the beginning of a string
//delete the html tags
//hide the error message from SQL or PHP

The syntax above are some ways you can use to prevent the SQL Injection. Okay, before we move how to make an Anti SQL Injection syntax using PHP, we should create the database first. This is the SQL statement to create the database. You can modify it on your own needs.

`username` varchar(50) COLLATE latin1_general_ci NOT NULL,
`password` varchar(50) COLLATE latin1_general_ci NOT NULL,
PRIMARY KEY (`username`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_general_ci;

Copy the SQL statement above and import it on your database. Then now I'm going to create the login form using HTML.

<form name="login" action="process/login.php" method="post">
<tr><td>Username</td><td> : <input type="text" name="username"></td></tr>
<tr><td>Password</td><td> : <input type="password" name="password"></td></tr>
<tr><td> </td><input type="submit" value="Login"></td></tr>

When the submit button clicked, it will executed the login.php file on a folder called "process". Then I use the post method to send the parameter. Now we move to the PHP syntax. Here I will divide this into four parts. First we must have the connect.php file in order to connect the file to the database on SQL Server.

mysql_connect("localhost", "dbuser", "");

Then I'm going to create the login process. This is the important part because we are going to use the Anti SQL Injection syntax using PHP. This will make your site become secure. This is the login.php file.

include "process/connect.php";
function anti_sqlinjection($data){
$filter = mysql_real_escape_string(stripslashes(strip_tags(htmlspecialchars($data,ENT_QUOTES))));
return $filter;

$username = anti_sqlinjection($_POST['username']);
$pass = anti_sqlinjection($_POST['password']);

//make sure the username and password are character or number
//here I'm not letting the #^&* etc mark passed
if(!ctype_alnum($username) || !ctype_alnum($pass)){
echo = "Please use character and number only";
$login=mysql_query("select * from userlogin where username='$username' and password='$pass'");
//echo "select * from userlogin where username='$username' and password='$pass'";
//If the username and password is founded
if ($result  > 0){
include "timeout.php";
$_SESSION['user_session'] = $
row ['username'];
$_SESSION['pass_session'] = $
row ['password'];

// session timeout
$_SESSION['login'] = 1;

echo "Congratulation, you login successfully";
echo "Login failed, please try again";

On the syntax above I add the htmlspecialchars(). This is a function from PHP to show the html tags, then after it is showed I will erased the html tags using strip_tags() function. After that, now we move to the third part of the PHP coding. We'll make the timeout syntax, it is used to limit the user login time. So when a user don't do anything for a range of time, it will logout automatically. This is the timeout.php file.

function timer(){
$time=10000; //set the timer to login for 10 minutes

function login_check(){
return true;
return false;

When the user still active on a system, this function will automatically increase the time to 10 minutes from the last time user load the page. But when a user is not active more than ten minutes, it will logout automatically. Okay this is the logout.php file.


echo "You have been logout successfully";


To destroy all sessions you made on login process, you use the session_destroy() function. With no session you can access the site you made. Now once and for all, add this code in every of your file.

include "config/timeout.php";
$_SESSION['login'] = 0;
header('location: process/logout.php');
//user is not active for 10 minutes
if(empty($_SESSION['user_session']) && empty($_SESSION['pass_session']) && $_SESSION['login']==0){
header("location: login.php");
//no session, bring user to login page
//session is exist, show the html code
//your HTML code below from here
<!-- Your HTML code here -->

Okay, that is the PHP syntax to create a secure login form using PHP. I hope this help you so much.

"Om Santhi, Santhi, Santhi, Om"


Ada 2 comments pada “Create A Secure Login System With Anti SQL Injection Using PHP”
Anonymous said...
pada hari 

bro rada cape mungkin nulis syntax anti sql inject sepanjang itu,.
ganti ini aja..

"preg_replace('#[^A-Za-z0-9]#i', '', $_POST["username"]);"

#koreksi saya jika salah..

jikun said...
pada hari 

itu mewakili salah satu syntax apa semuanya bro?

Social Media

Facebook Page

Programming Tutorial


This Blog is proudly powered by | Template by Bali Web Development | Privacy Policy | Rise Up!!