Secure user authentication on PHP [closed]

By Posted on

Problem

I’m trying to figure out the best way to manage user authentication.

At the moment I’m using this way

include("Conection.php");
$usuario = $_POST["Nick"];
$contra = $_POST["Pass"]; 
$sql = "SELECT * FROM usuario WHERE Nick = '$usuario' AND Password = '$contra'"; 
$result = $conn->query($sql);
$row = $result->fetch_assoc();
if ($result->num_rows == 0) { 
      echo '<script languaje=javacript>
    alert ("Inicion de sesion rechazada")
    window.location="../Entrar.html"
    </script>';
} 
else 
{ 
     // Inicias la sesion 
     session_start(); 
     $_SESSION['Usuario'] = $row['Nick']; 
     $_SESSION['estado'] = 'Autenticado'; 
     echo ("<script>location.href='../../Index.php'</script>");
     // Muestras el contenido de la pagina 
}

and if my user logs in he will have different menu options

<?php
    session_start(); 
    if(isset($_SESSION['Usuario']) and $_SESSION['estado'] == 'Autenticado')                    { ?>
    <a href="Navegacion/Entrar.html">Logeado</a>&nbsp;&nbsp;&nbsp;
<?php } 
    else 
    {    ?>
    <a href="Navegacion/Entrar.html">Entrar</a>&nbsp;&nbsp;&nbsp;
    <a href="Navegacion/Registrarse.html">Registrarse</a>&nbsp;&nbsp;&nbsp;
    <a href="Navegacion/Carrito.html"><img src="Images/Carrito.png" alt=""  width="20" height="20" ></a>
<?php   }    ?>

I know this way it’s way weaker with SQL injections and stuff like that.

My main question was, Which it’s the best way to protect againts sql injections, seems that the answer it’s PDO, since I can not use comments and let me thank here all you that help me, thank you mdfst13

Solution

Avoiding SQL injection

$usuario = $_POST["Nick"];
$contra = $_POST["Pass"]; 
$sql = "SELECT * FROM usuario WHERE Nick = '$usuario' AND Password = '$contra'";

The smallest change to this to avoid SQL injection would be something like 

$usuario = $conn->real_escape_string($_POST['Nick']);
$contra = $conn->real_escape_string($_POST['Pass']);
$sql = "SELECT * FROM usuario WHERE Nick = '$usuario' AND Password = '$contra'";

But modernly best practice is to use something like PDO with bind variables. You don’t include enough context to make that change here.

I also changed double quotes to single quotes because I prefer them for static strings. I only use double quotes for interpolated strings like $sql.

PHP vs. Javascript

      echo '<script languaje=javacript>
    alert ("Inicion de sesion rechazada")
    window.location="../Entrar.html"
    </script>';

First, consider using a NOWDOC for a multiline string. E.g.

    echo <<<'EOSCRIPT'
<script languaje=javacript>
  alert ("Inicion de sesion rechazada")
  window.location="../Entrar.html"
</script>
EOSCRIPT;

But you generally don’t want to do things like a redirect in Javascript. Doing it with HTML headers is more reliable. 

    header('Location: ../Entrar.html');

Note that this should be an absolute URL, but I don’t know which one.

You have to emit headers before any HTML, even the DOCTYPE.

Leave a Reply

Your email address will not be published. Required fields are marked *