can some body help me?
i run my application with php mysql
how do i prevent it from being hack via the login field?

thank you

for one, sanitize your form input.

aside from yawa-ti-de's post,
encrypt your password from clientside. you could use javascript MD5. that helps.
View yahoo login page source, thats how it's done.

@ lojik

I will strongly advice the poster not to take your advice. How does encrypting a password protect you from SQL INJECTION. I think most naija has turned programming to oshodi high-way where everyone off-ramp as they like. Your solution is nothing but a B-IIIIG Lie. Who taught you that? Where did you attend your own school. Give me your project that you applied such method and see if it will not be bypassed.

Anyway, here is a method.

<?php
// am checking if the user clicked the submit button
if (isset($_POST['submitbtn'])) {

//Assign the POST values to a variable
$username=$_POST['username']; 
$passid=$_POST['passid'];

// Use the Strip Slashes function available on www.php.net
$username = stripslashes($username);
$passid = stripslashes($passid);

// Use the mysql_real_escape_string function available on www.php.net
$username = mysql_real_escape_string($username);
$passid = mysql_real_escape_string($passid);


// Query your database. Remember, my password uses MD5 algorithm
$sql="SELECT * FROM table_name WHERE adminuser='$username' && adminpass='".md5($_POST['passid'])."'";

// This helps you pin-point errors in your query
$result=mysql_query($sql);
?>

@nitation
sorry abt dat advice. its might not relate to the topic because rather than answer the topic, i probably responded to the question content about "h-ack-ing via the login field". I might have overlooked the topic after reading the content of his question

However, though it doesnt prevent sql injection, it prevents hackers using listeners(http://3d2f.com/tags/password/sniffers/) from listening to passwords entered by ur client b4 reaching ur server.

refer to:
[url]http://infotech.indiatimes.com/articleshow/msid-553621,flstry-1.cms[/url] for yahoo hash function

other relevant md5 resources for you:
http://perl-md5-login.sourceforge.net/
http://pajhome.org.uk/crypt/md5/auth.html
http://www.phpeasystep.com/phptu/26.html
http://en.kioskea.net/faq/sujet-2157-how-to-store-and-verify-a-password

@poster, no harm meant o. u can still implement my advice as it prove more secure than sending plain passwords over the internet. I use it on all my login pages, yahoo and every major global web app uses it.

and who says MD5 cannot be decrypted. lol

- nitation

The question you have asked as been discussed before see https://www.nairaland.com/nigeria?topic=285400.msg4051845#msg4051845

nitation:

and who says MD5 cannot be decrypted. lol

- nitation

moi . . . you guys should just take it easy already

nitation:

and who says MD5 cannot be decrypted. lol

- nitation

MD5 decryption requires a lot of computing power and moreover, i use a self-modified version?

As far as i know, its still the most difficult to decrypt. Close to impossible they say (because u need an enormous computing power to do that to the algorithm)

[s]Post ten correct MD5 hash on this board. [/s]

Note that MD5 is not regarded as the best method of encryption

- nitation

Poster has your problem been solved as its all going all over again

Yeah, yeah, md5 is not a 100% fool proof way of encrypting db passwords. But then, na naija we dey now, au many people really care about going that extra mile to hack u down (except of course u are interswitch or so  ), so its no crime running ur encryption on md5. But for the word sha, md5 is not 100% safe (search around d web for rainbow tables and u'll understand.)
Iv stop to use md5 for a while now. I use a password hashing algorithm u can check out here: http://www.openwall.com/phpass/ It gaurantees better encryption security

kehers,

I don't think you should go into developing a web app with that mentality. By so saying, you are implying that only people in Nigeria will view/want to harm your app. That's just like saying that since the game of mancala is an african one (what is mancala? google it ), that nothing should be done to alter it in terms of making the game better.

Always code with the greater picture in mind. In the end, you will be a better programmer for it.

yawa-ti-de:

kehers,

I don't think you should go into developing a web app with that mentality. By so saying, you are implying that only people in Nigeria will view/want to harm your app. That's just like saying that since the game of mancala is an african one (what is mancala? google it ), that nothing should be done to alter it in terms of making the game better.

Always code with the greater picture in mind. In the end, you will be a better programmer for it.

Fair point, hackers do it for fun, and will just try to break anything no matter what country you are.