A friendly tip - using MD5, SHA1, ect in MySQL
I had a "DUH" moment and overlooked this in a small project I"m building. Thankfully found it with a sql injection tool (which is another GOOD thing to have. There is even a firefox extension called SQL Inject Me).
Always remember to validate/clean data before passing to the database:
What happens if someone enters password of "123 '); DESC myusers;"? hmm...
There are probably other, more secure methods - but for those just starting be sure to check and clean all data before you put in a query.
hth.
Always remember to validate/clean data before passing to the database:
Not so good:
if (is_numeric($uid) && strlen($uid)<=5 && strlen($uid)>0)
{
$q = "SELECT COUNT(*) FROM myusers WHERE uid='$uid' AND upass=SHA1('$password')";
}
What happens if someone enters password of "123 '); DESC myusers;"? hmm...
Better:
if (is_numeric($uid) && strlen($uid)<=5 && strlen($uid)>0)
{
$password = sha1($password);
$q = "SELECT COUNT(*) FROM myusers WHERE uid='$uid' AND upass='$password'";
}
There are probably other, more secure methods - but for those just starting be sure to check and clean all data before you put in a query.
hth.
