3

Would this login function be secure, I put the url data straight into the function, but would this be unsafe? Could this be injected, I know it has no SQL, but is it venerable?

if ($_SERVER["REQUEST_METHOD"] == "POST") {    
    $login = check_login($_POST['emailusername'], $_POST['password']);
    if ($login) {
        // Registration Success
       header("location: /");
    } else {
        // Registration Failed
        echo 'Username / password wrong';
    }
}

function:

// CHECK LOGIN SCRIPT
   function check_login($emailusername, $password) 
    {

$host = 'localhost';
$port = 3306; // This is the default port for MySQL
$database = 'example';
$username1 = 'root';
$password1 = 'root';

$dsn = "mysql:host=$host;port=$port;dbname=$database";
$db = new PDO($dsn, $username1, $password1);

                $password = md5($password);


$statement = $db->prepare('SELECT uid FROM users WHERE (email = ? or username = ?) and password = ?');
$statement->execute(array($emailusername, $emailusername, $password));

if ($result = $statement->fetchObject()) {
    $_SESSION['login'] = true;
    $_SESSION['uid'] = $result->uid;
    return TRUE;
}else{
    return FALSE;
}    }
BenMorel
  • 30,280
  • 40
  • 163
  • 285
Joshua Davis
  • 315
  • 7
  • 14
  • 1
    Depends on your `check_login` function. Could you paste it? – Nemoden Aug 18 '11 at 06:59
  • Sorry, forgot you may need that, edited it in. – Joshua Davis Aug 18 '11 at 07:00
  • 1
    @Joshua Davis: As long as you keep using PDO, do not worry about SQL injection. – Shef Aug 18 '11 at 07:04
  • @Shef You should probably say *binding params with PDO*. You can still have SQL injection with PDO. – alex Aug 18 '11 at 07:13
  • 1
    @alex: That's what I meant. To be more explicit, as long as you keep using PDO to prepare statements with bound parameters do not worry about SQL injection! :) – Shef Aug 18 '11 at 07:15
  • Are my current PDO statements venerable? The ones in my code above. – Joshua Davis Aug 18 '11 at 07:22
  • They're not vulnerable (not venerable, that word doesn't exist). You can also check whether you got any holes by trying to hack your own script using classic SQL injection attacks (there are numerous examples at wikipedia and SO). – N.B. Aug 18 '11 at 08:08

2 Answers2

2

I don't see a reason why it would be unsecure, but I'd suggest you to follow authentication best practices though.

Community
  • 1
  • 1
Nemoden
  • 8,038
  • 5
  • 35
  • 63
-1

To make a good authentication system isn't that simple, my friend. Here are some 'first steps'.

If you aren't sure, you shouldn't make your own. It's anti-pattern called 'reinventing the square wheel'!

Community
  • 1
  • 1
daGrevis
  • 19,600
  • 35
  • 95
  • 134
  • "check login and password" is too simple function, each programmer can to write it easy. Using existing solutions it's good, of course, but it's not only possible part of programming. – OZ_ Aug 18 '11 at 07:23