Security in checking and validating user with PDO:PHP

Question

Security in checking and validating user with PDO:PHP

Asked 6 years, 2 months ago

Viewed 360 times

0

I want to create a panel with a secure login environment, using PDO as a validation.

To explain, I am using the IPB forum database, basically I want to take advantage of the same forum user and create an environment for the registered member in my forum access new functions, and here goes the code:

database php.

// HOST MYSQL - FORUM IPB
$host_ipb="127.0.0.1";
$db_ipb="forum";
$user_ipb="root";
$userpass_ipb="root";
try {
$con_ipb = new PDO("mysql:host=$host_ipb;dbname=$db_ipb",$user_ipb,$userpass_ipb,array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8"));
} catch(PDOException $e) {
    echo 'ERROR: ' . $e->getMessage();
}

functions.php

Function login($con_ipb, $email, $password){

/* Verificando o members_pass_salt do email solicitado */
$dados_email=array(':email'=>$email);
$p_query_email = $con_ipb->prepare("SELECT * FROM ipb_core_members WHERE email=:email");
$p_query_email->execute($dados_email);
$usuario_email = $p_query_email->fetchAll(PDO::FETCH_OBJ);

foreach ($usuario_email as $usuario_email2) { 
        $members_pass_salt = $usuario_email2->members_pass_salt;
        }

/* Conversão da senha para members_pass_hash do IPB */
$members_pass_hash = crypt( $senha, '$2a$13$' . $members_pass_salt );  

/* Fazendo checagem de email e senha(members_pass_hash) e autorizando a sessão */
$dados_user_pass=array(':email'=>$email,':members_pass_hash'=>$members_pass_hash);
$p_query_verifica = $con_ipb->prepare("SELECT * FROM ipb_core_members WHERE email=:email and members_pass_hash=:members_pass_hash");
$p_query_verifica->execute($dados_user_pass);
$email_senha = $p_query_verifica->fetch(PDO::FETCH_OBJ);
$error_data = false;
if ($email_senha) {
    ini_set('default_charset','UTF-8');
    $_SESSION["email_senha"]=$email_senha;
    $_SESSION['email'] = $email;
    header("Location:dashboard.html");
        }else{  
    header("Location:error.html");      
        }}

check.php

require_once('configs/functions.php');
$email = $_POST['email'];
$senha = $_POST['senha'];
echo login($con_ipb, $email, $senha).PHP_EOL;

It is functional, error free. My question is whether it is safe to use in a safe environment with no possibility of SQL Injection.

Thank you!

Possible duplicate of https://answall.com/questions/3864

– Costamilam

2018/04/09 at 02:00
Where would this possible duplicate be?

– Marcelo Cordeiro

2018/04/09 at 02:05
I believe @Guilhermecostamilam didn’t mean duplicate but give you a post that talks about preventing sql Injection

– user60252

2018/04/09 at 02:45
@Leocaracciolo understand, only that I’m still really learning about php programming with Pdo, and I can’t see problems, even if I read the links he sent. I need a look from another more experienced programmer.

– Marcelo Cordeiro

2018/04/09 at 02:52
You have already read this https://secure.php.net/manual/en/security.database.sql-injection.php#security.database.avoiding

– user60252

2018/04/09 at 03:05

No answers

Browser other questions tagged php pdo security-guard validation login

You are not signed in. Login or sign up in order to post.