PHP Classes

Nice code, secure login but insecure config

Recommend this page to a friend!

      PHP Secure Login and Registration  >  PHP Secure Login and Registration package blog  >  Secure PHP Login Scri...  >  All threads  >  Nice code, secure login but insecure...  >  (Un) Subscribe thread alerts  
Subject:Nice code, secure login but insecure...
Summary:Well written but there are a couple of missing security features
Messages:2
Author:Shane Hollis
Date:2019-02-24 07:30:53
 

  1. Nice code, secure login but insecure...   Reply   Report abuse  
Picture of Shane Hollis Shane Hollis - 2019-02-24 07:30:53
Hi,

Nice job. Thanks for sharing the code.

There are a couple of suggestions i would make.

1 - The config.php contains user names, passwords etc. It would be best to move those out to an INI file located outside the web root e.g

/PROJ FOLDER/
-- settings.ini
-- / WWW/--index.php
--config.php

There seems to be no filtering on session vars or DB input.
I know that PDO prepared statements will save you from some of the db hacks, it still leaves unfiltered input to go to the session vars.
Slightly strong filtering on username etc would keep it a bit tighter.

But nice job - well documented and coded.

  2. Re: Nice code, secure login but insecure...   Reply   Report abuse  
Picture of hazem AL-ojeh hazem AL-ojeh - 2019-04-23 03:47:55 - In reply to message 1 from Shane Hollis
Hi shane,

Can you please elaborate on your second security issue. "There seems to be no filtering on session vars or DB input. "

would be greatly appreciated.

Thank you.