SitePoint Sponsor

User Tag List

Results 1 to 4 of 4

Thread: injecting if-s?

  1. #1
    SitePoint Enthusiast itportal's Avatar
    Join Date
    Sep 2005
    Posts
    73
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    injecting if-s?

    Hello,

    I was thinking if it is possible to inject a simple php password check like the following:
    PHP Code:
    $user=$_POST["user"];
    $pass=$_POST["pass"];
    if(
    $user=="username" && $pass=="password"){ ... } 
    I couldn't find any way ... so is this secure enough?

  2. #2
    SitePoint Evangelist
    Join Date
    Apr 2006
    Location
    Halifax, Canada
    Posts
    498
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The input strings are not parsed, so they can't be injected.

    Just make sure that if the file is being included in other PHP code, you use .php and not .inc or another extension.
    Paul Butler.org
    JSSpamBlock - Reduce WordPress spam.

  3. #3
    is_empty(2); foofoonet's Avatar
    Join Date
    Mar 2006
    Posts
    1,000
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You could use something as simple as that if you want.

    I would filter any input from the web, check for example it only contains alpha-numeric characters (and maybe a space) and if its longer than, say 12 characters, just eject them straight away.
    Upgrading to Mysql 5? Auto-increment fields now strict
    use NULL
    Or zero or leave the field name out completely.

  4. #4
    SitePoint Enthusiast itportal's Avatar
    Join Date
    Sep 2005
    Posts
    73
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, but it's not necessary ... if there can't be included an injection then ... nice .. so I can use this simple code for simple password protected pages ...


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •