Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>Firstly, you have a mistake in the session regenerate code. The following if will always evaluate to true:</p> <pre><code>if ($rand != 1 || $rand != 3 || $rand != 5) </code></pre> <p>If <code>$rand</code> is <em>not</em> 1, it returns true. If <code>$rand</code> <em>is</em> 1, then it's not three, and it returns true. You probably meant to use an <code>and</code> here.</p> <p>Secondly, you don't need to MD5 the <code>user_ip</code>, or the <code>user_agent</code> strings. If someone can access the session data on your server directly, you're so deep in it that hashing that data won't save you. </p> <p><strong>CLARIFICATION:</strong> As SDC and crush point out in the comments, MD5 is good for hashing passwords <em>if you hash it with a salt</em>. This means that your user's passwords are generally still secure, even if a SQL Injection attack succeeds and your database is exposed to the world. <em>However,</em> if your server is compromised, and the salt is compromised, then it becomes possible to generate a set of known hashes, and to attempt a reverse lookup of a specific password. Bottom line? Hash your user passwords, with a salt.</p> <p>Thirdly, most security holes don't come from spoofing sessions. They come from poor input checking. A book like <a href="http://amzn.com/059600656X" rel="nofollow">Essential PHP Security</a> should be a good introduction to the kind of input checking you should do in a PHP project. Failing that, at least read the <a href="http://php.net/manual/en/security.php" rel="nofollow">security section of the PHP Manual</a>. Pay attention to the SQL Injection bit. It's cool!</p> <p>Finally, I fully agree with the other poster that you should use SSL to secure communication to your website.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload