ensure you setup the db

Nullified — Fri, 02 Nov 2012 00:45:25 +0000

ensure you setup the db fields to only store the type of data it is suppose to.
ensure you escape all session vars ($_REQUEST/$_POST/$_GET)
ensure you escape all sql queries
ensure you strip all malicious characters from form data
md5 (hash) anything you would like to keep private
ensure valid use of session/cookie data and keep your sessions clean

The basic starting point is

greg — Mon, 29 Oct 2012 18:52:51 +0000

The basic starting point is to ensure people are entering data that you want them to, so only data that suits the form field they're using.

EG if you have a DATE entry, there should only be numeric chars entered, no alpha or other chars like !"£$ etc. AGE would be numeric only, username you may want to limit to alphanumeric, etc..

If you start by limiting their entry to what they should be doing, your on the way to maintaining security as you'll naturally remove their ability to enter various bad chars like apostrophes and quotes, and also ensure you get useful info too, like alpha only for names, and numeric for dates, age etc.

You also need to check the total characters they used in a string. So if they're entering 3 chars for DAY when it should be 2, or 100 chars for name when it should be max 40 etc, you can issue an error to them without even touching the DB with the info, it's all done in PHP until you're happy with their data.
This also ensures users are entering the correct data to suit your database structure. Such as USERNAME may be a varchar(40), so you limit them entering 40 chars, otherwise you end up with a headache in your DB and, for example, logins wont work.
(HTML's form "maxlength" is easy to get around so checking in PHP is essential)

You should always check all data as outlined above before even thinking about accessing your DB.
Once you've sanitised those checks and you're happy they've entered sensible info and data that suits the fields they using, then the script can move on to the DB part and store it.
It might still be rubbish or nonsense, but there's no easy way to stop that, important thing is it'll be safe and correctly formatted to store in your DB.

As you're ready to insert, you should also ALWAYS use mysql_real_escape_string on all data before entering into the DB. (although you should be using MySQLi or PDO_MySQL these days)

tbcproductions wrote:

there won't be any critical personal information in the database other than email addresses and names

There is - their passwords are saved in the DB. So make sure you're hashing passwords before saving (MD5/SHA etc) if your database is compromised and you're saving in plaintext, all your users' accounts can be accessed by whoever has the data.
SALT is a more secure addition, but not completely essential unless you have high security requirements.

tbcproductions wrote:

If successful, it will take you to the login page... which doesn't work. Somethings wrong in the code, because no matter what username or password you enter, you get an error, even if the info is correct.

Either the PHP code is invalid, or you're doing something wrong with the data.

Is the data correct in the database? Echo it out onto the page.
Are you entering the correct data that matches the DB data?
Is the final PHP script which attempts login getting the correct data as above two questions?

Try echoing all relevant variables and printing arrays you're working with, sometimes it's something simple/obvious you've missed along the way. Showing all the data that PHP is working with behind the scenes that you wouldn't normally see can highlight the issue.

If it's a PHP specific error, feel free to paste the code and we'll take a look

Cheers