My CMS is at risk of being h4x0r3d

Atomiku

Well, After reading abit about security, I have found out that my CMS could easly be hacked.

The main problem would be SQL injection.
Could this be solved by changing things like " to "?

The second problem is that im not very happy about the way my code is storing the cookies. Its doing something like this:

setcookie("AtomikuCMS[myUser]", $row['userid'], time()+3600);

That works fine, But is there any way the user could change the cookie?

If so, Is there anyway I can stop it?
Thanks in advance, Matt.

drew010

make sure you use [man]mysql_real_escape_string()[/man] on all values from get and post that will be used in a query. as far as the cookie it may be a little more of a pain to change, but is there any other values like sessions maybe that keep the user logged in?

Atomiku

Thankyou for your responce.
I was actualy using sessions but they expired after the user closed the browser.

I did actualy have a code where it recreated the session automaticly if it recognises the IP that the user logged in with in the first place.

But obviosly, You can see where it all went wrong, People sometimes have the same IP 😛 so that is another goodbad idea out the window 😛

drew010

you can change the fact that a session dies when they close the browser my modifying the php.ini value session.cookie_lifetime

Atomiku

You sure? I thought the sessions disapeared because the browser wasnt storing the session ID.
oh well, it doesnt really matter. Im using cookies now anyway 😛 :xbones: