I have some doubts about my security in my website, And i was wondering if I'm doing it correctly or not.
for POST\GET requests i always use mysqli_real_escape_string($connection,$2nd_parametter);
for Password Encryption i use password_hash('$password', PASSWORD_BCRYPT, array('salt' == 9));
People told me that BCRYPT is better than SHA for Website passwords.
for Login validation i use if($username === $db_username && $password === $db_password){};
for Pages accessibility check i use
if($_SESSION['role'] == 'Admin'){header("Location: admin");}}
else{header("Location: index");}
for Database connection mysqli_connect(localhost,root,,'database');
I do realize that this connection is vulnerable since there is no password
I would like to know if there is any better way to do these protection steps effectively and easily and even making it way stronger.
1. mysqli_real_escape_string()
The escaping function is meant to insert user input into SQL-queries, not for usage in GET/POST requests. There is a better and more comfortable way though, you can use prepared statements, to protect from SQL-injection. To escape user input for HTML, the function
htmlspecialchars()
is better suited.2. password_hash()
The password_hash() function should indeed be used, though it would be safer and more future proof to write it like this:
Your cost factor is a bit low and with
PASSWORD_DEFAULT
the algorithm could be changed in future should this be necessary.3. if($username === $db_username && $password === $db_password)
This is actually not possible if you really used the password_hash() function, because of the random salt. Instead you have to check the password with:
4. if($_SESSION['role'] == 'Admin'){header("Location: admin");}}
Redirecting to protected pages is unsafe, nobody prevents an attacker to call the page directly. Each page has to check the permission on its own, if the logged in user should not see the page, then you can show the password form.