database hacking and your server

FrozNic

something that came as quite an interesting read to me... a lot of you should probably check this out if you have any type of login system on your sites. it's created for asp but exactly the same for php. it's ironic that i didn't think of this before i read it 🙂

http://neworder.box.sk/newsread.php?newsid=7703

sarahk

isn't this the old thing where you just need to addslashes() around the username and password before you send them to the database?

FrozNic

i believe so, but i didn't think about it, until after i read this article... so it's just for ppl that haven't thought about it.

Oersoep

If you program correctly, this should not become a problem.

Encrypt the password using md5 or another hash function before storing it. That way, even if someone could get the md5 of the password, it would still be useless. It cannot be decrypted. Since the user interface encrypts the input, you HAVE to enter the correct password, or find another way in.
Furthermore, any query-extensions entered into the password fields would be encrypted too, before querying the database.

You can also do a simple regexp on the username, making sure it doesn't contain any characters that are forbidden. And if you programmed well, you can just use the same function used to validate the username the user entered when he signed up.