Do I need to sanitize my login value in php

Question

Following is script I used in login page

<?php
//include config
require_once('includes/config.php');

//check if already logged in move to home page
if ($user->is_logged_in()) {
    header('Location: index.php');
}

//process login form if submitted
if (isset($_POST['submit'])) {

    $username = filter_input(INPUT_POST, 'username');
    $password = filter_input(INPUT_POST, 'password');

    if ($user->login($username, $password)) {
        $_SESSION['username'] = $username;
        header('Location: memberpage.php');
        exit;
    } else {
        $error[] = 'Wrong username or password or your account has not been activated.';
    }
}//end if submit
//define page title
$title = 'Login';

//include header template
require('layout/header.php');
?>

Do I need to sanitize these inputs with at least mysql_real_escape_string or can I use this code?

user.php

<?php
include('password.php');
class User extends Password{

    private $_db;

    function __construct($db){
        parent::__construct();

        $this->_db = $db;
    }

    private function get_user_hash($username){  

        try {
            $stmt = $this->_db->prepare('SELECT password FROM members WHERE username = :username AND active="Yes" ');
            $stmt->execute(array('username' => $username));

            $row = $stmt->fetch();
            return $row['password'];

        } catch(PDOException $e) {
            echo '<p class="bg-danger">'.$e->getMessage().'</p>';
        }
    }

    public function login($username,$password){

        $hashed = $this->get_user_hash($username);

        if($this->password_verify($password,$hashed) == 1){

            $_SESSION['loggedin'] = true;
            return true;
        }   
    }

    public function logout(){
        session_destroy();
    }

    public function is_logged_in(){
        if(isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == true){
            return true;
        }       
    }

}


?>

password_verify() code

public function password_verify($password, $hash) {
        if (!function_exists('crypt')) {
            trigger_error("Crypt must be loaded for password_verify to function", E_USER_WARNING);
            return false;
        }
        $ret = crypt($password, $hash);
        if (!is_string($ret) || strlen($ret) != strlen($hash) || strlen($ret) <= 13) {
            return false;
        }

        $status = 0;
        for ($i = 0; $i < strlen($ret); $i++) {
            $status |= (ord($ret[$i]) ^ ord($hash[$i]));
        }

        return $status === 0;
    }

}

Since am new to PHP I am confused about it. Can someone help me?

or will user class will protect this login

Please, [do not use `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) instead, and use [PDO](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Apr 24 '15 at 18:50
@JayBlanchard `PDO` i don;t know anything about it, and searched about it using prepared statement will help protect can you please make a example — lawrence, Apr 24 '15 at 18:52
Check the link in the comment I made. There is a tutorial there. — Jay Blanchard, Apr 24 '15 at 18:52
That depends completely on the `User` class you are using. In your code you are not doing any database operations, outputting to the screen, etc. so for what would you need to sanitize? — jeroen, Apr 24 '15 at 18:57
Sidenote: Sure hope you're storing a hash for this. **Edit:** and as per your edit; good. — Funk Forty Niner, Apr 24 '15 at 19:00
@jeroen check my question add user class i used `pdo` is this secure — lawrence, Apr 24 '15 at 19:01
probably best suited for code review instead. http://codereview.stackexchange.com/ since you've working code. — Funk Forty Niner, Apr 24 '15 at 19:02
@Fred-ii- after edit will the above code is safe i use `user` class and `password` hash — lawrence, Apr 24 '15 at 19:03
I'm voting to close this question as off-topic because it's best suited for code review http://codereview.stackexchange.com/ — Funk Forty Niner, Apr 24 '15 at 19:03
@Fred-ii- Please [vote to close because the question is off-topic for Stack Overflow, not because it belongs somewhere else](http://meta.stackoverflow.com/a/286591/1310566). Voting to close because it belongs somewhere else can cause situations where the question is closed on two places. It is okay to redirect people to other sites, but don't vote to close with that reason. — Simon Forsberg, Apr 24 '15 at 19:05
@SimonAndréForsberg it's exactly where it belongs. *Do I need to sanitize my login value in php* — Funk Forty Niner, Apr 24 '15 at 19:06
`am using function` function? Where is the User class defined? If using an API (like phpbb3 which this looks similar to), there may be accessory functions to sanitize the data — copeg, Apr 24 '15 at 19:06
let them deal with it. question's off-topic in so many respects. — Funk Forty Niner, Apr 24 '15 at 19:09
@Fred-ii- I did not try to say that it didn't belong on CR. It is a bit unclear how well the code is working, but I am assuming it works. (Although one answer here on SO suggests that it doesn't, which would not make it a good CR candidate) I'm just against the "vote to close because it belongs at xyz". There are [several](http://meta.stackexchange.com/q/251568/213556) meta [posts](http://meta.stackoverflow.com/q/289949/1310566) related to this. — Simon Forsberg, Apr 24 '15 at 19:16
@SimonAndréForsberg I may have voted to close as such in a bit of a haste, however the OP doesn't mention whether their code works or not; therefore falling under different sections of Stack's "off-topic" choices. They should have tested their code before posting it and possibly making me look like a fool. — Funk Forty Niner, Apr 24 '15 at 19:21
@Fred-ii- Now that I totally agree with. At Code Review we often get "*Does* this code work? How can it be made better?" questions, while CR is more about "This works. How can it be made better?". The only way to know if your code works is really to test it. — Simon Forsberg, Apr 24 '15 at 19:26
@SimonAndréForsberg +1 ^ Exactly. This probably won't be the last neither lol *cheers* — Funk Forty Niner, Apr 24 '15 at 19:27

jeroen · Answer 1 · 2015-04-24T19:21:09.993

3

Does this actually work?

I see:

if($this->password_verify($password,$hashed) == 1){

But there is no password_verify() method in your class. If you mean the password_verify() function, you should change it to:

if(password_verify($password,$hashed)){

To answer your question, you are using prepared statements so you should not escape your data, you are safe from sql injection. Even if you needed to - if you would inject a value directly into a query somewhere for example - you would need a PDO escaping function and not the mysql_* one. But using prepared statements consistently is obviously the better solution as you cannot forget anything by accident.

The only real problem that I can see is that you echo out your catched exception message to the user. You should log that instead and present the user with a non-technical error message.

And of course you should add error handling to the database calls: An empty result is not an error and will not lead to an exception, but it will lead to problems in your code, so you should check for that.

edited Apr 24 '15 at 19:21

answered Apr 24 '15 at 19:10

jeroen

91,079
21
114
132

If you escape your data when using prepared statements, you can actually introduce errors into your data. Because the escaped string will be inserted literally. So `O'reilly` would be `O\'reilly` in your db; not what you want. – Dan Apr 24 '15 at 19:18
@dan08 Hmmmmm, perhaps my wording is not clear enough, I'll improve it. – jeroen Apr 24 '15 at 19:19
I was just adding some clarification, you said "you don't *have* to" and I remember when I was learning, I thought I was being super safe by escaping and using prepared statements. – Dan Apr 24 '15 at 19:20
@dan08 I know and you are right, so I modified it :-) – jeroen Apr 24 '15 at 19:22
Agreeing here. However, they really should have tested their code before posting their question. It falls into code review, unclear, why it's not working sections and maybe even another, far as I can see. – Funk Forty Niner Apr 24 '15 at 19:23
@Fred-ii- I figured that if it really got moved, they'd move the answer with it so I might as well get it out of my system ;-) – jeroen Apr 24 '15 at 19:25
@jeroen hehehe, true. Caffeine however, stays in your system too but not as long as the question will ;-) – Funk Forty Niner Apr 24 '15 at 19:26
@jeroen yes am using `password_verify()` in another file `include('password.php');` its located on `user.php` file and just add `password_verify()` to question – lawrence Apr 26 '15 at 09:56

Do I need to sanitize my login value in php

1 Answers1