Someone recently hacked my PHP CMS and planted an SQL injection. Is there a way to make my login code more protected and prevent hackers? Any help would be great, thanks.
Login Form
<div id="loginform">
<form method="post" action="check-login.php" name="form1">
<label for="username" /><span style="color:#FFFFFF; font-family:'Trebuchet MS', Arial, Helvetica, sans-serif;">username:</span></label>
<input type="text" name="myusername" id="username"/>
<label for="password"/><span style="color:#FFFFFF; font-family:'Trebuchet MS', Arial, Helvetica, sans-serif;">password:</span></label>
<input type="password" name="mypassword" id="password"/>
<label for="submit"></label>
<input type="submit" name="sumbit" value="Login">
</form>
</div>
PHP
mysql_connect ($host, $username, $password) or die ("can't connect");
mysql_select_db ($db_name) or die (mysql_error());
$myusername = $_POST['myusername'];
$mypassword = $_POST['mypassword'];
$sql = "SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result = mysql_query($sql);
$count = mysql_num_rows($result);
if ($count == 1){
session_register("myusername");
session_register("mypassword");
header("Location:cms/admin.php");
}else{
echo "Wrong username or password";
}
Wow. This is a big no-no:
$myusername = $_POST['myusername'];
$mypassword = $_POST['mypassword'];
You need to sanitize these inputs with at least mysql_real_escape_string.
Change it to this:
$myusername = mysql_real_escape_string($_POST['myusername']);
$mypassword = mysql_real_escape_string($_POST['mypassword']);
htmlentities() and htmlspecialchars() are also useful but I would advise against using them on data going into a database.