The username and password is hardcoded into that script for the time being. How is hard coding the username and password into ProcessLogin. The username and password isn't really hard to guess if you really want to try :P But even if it was a real username and password, how can a login such as this be hacked to display the images? PS: username and password are the same, i'm just wondering if anyone can hack this login without any effort The important question is what happens after the login.
Are you setting a cookie to identify the user? What is in that cookie? How easy is it to fake that cookie? How easy is it to intercept that cookie hint: without SSL, pretty easy? Is a valid cookie required to open any of your protected pages? Or can I simply go to one of your "protected" pages if I know the URL and there'll be no check at all?
Is there any flaw in how the cookie is checked on those protected pages that may allow me to bypass the check? What will it secure as security is relative to what it is you are protecting.
IE consider the scenario that i put a list together with my favourite sports teams on it and stick that on the internet with the edit form behind a login screen would ssl be enough to protect this data?
So if these images are of you walking your dog or such an other then in all likely hood the security you have placed on the form is adequate. Is there a way to make my login code more protected and prevent hackers?
Any help would be great, thanks. The problem with your code is that you directly place the user input from the login boxes into the SQL query. This indeed is a security hole and allows SQL injection. Short answer: yes. Your login code is wide open to SQL injection.
You need to look into escaping user input. Take a few hours to read about SQL injection, understand the concept and explore the different solutions available. This SO question and its top answers is a nice resource to start reading. Login systems are always too difficult to implement though it seems to be very easy just by checking username and password for a match with existing record. There are a lot of ways to implement it. All in one, you've to research about lot of things.
If the CMS you re using doesn't use such mechanism, redesign it and then use. Stack Overflow for Teams — Collaborate and share knowledge with a private group.
Create a free Team What is Teams? Collectives on Stack Overflow. Learn more. Asked 9 years, 11 months ago. Guru99 is Sponsored by Netsparker. Netsparker, the developers of Proof Based Scanning technology, have sponsored the Guru99 project to help raise web application security awareness and allow more developers to learn about writing secure code.
Visit the Netsparker Website. Report a Bug. Previous Prev. Next Continue. Home Testing Expand child menu Expand. SAP Expand child menu Expand. If the website has a dedicated login section, click the Log In or Sign In link or button to go there.
If the website loads to a login screen or if the login section is on the home page , you can skip this step. This displays the HTML source code of the current page in a new tab. This opens the Find tool, which lets you search through the document. Type password into the search box. This identifies all instances of the word "password" in the code. Use the arrows next to the search field to scroll through the results.
If you don't see any results, shorten the search to pass and repeat, then do the same with user , username , login , and other keywords which may describe login information.
If you're attempting to hack the website by logging in under the website's administrator credentials, the username may be something like "admin" or "root". Try entering an incorrect username and password combination. If you've combed through the HTML with no adequate search results, do the following: Close the source tab.
Type in random letters for the username or email address and password fields. Click the Log In button. Look for login credentials on the error page. Once you've updated the source code to reflect what's on the failed login attempt page, you can resume using the search bar to look for keywords pertaining to the login information.
Enter any found login credentials on the site. If you were able to retrieve some form of username and password from the website's HTML, try using the credentials in the website's login section. If they work, you've found the correct credentials. Again, the chances of anything you found in the HTML working as a successful login are extremely low.
Sites like Hackthissite and Hellbound Hackers provide you with real life scenarios that can help you learn. You might start there. Not Helpful 64 Helpful Eventually, yes. Every time you access a page, it makes a log file that contains your information. This includes your IP, which can later be traced back to you by authorities if they have the legal right to do so.
Not Helpful Helpful You don't literally change the script; you copy it to a text editor, then open it as an HTML file. This will open the website through the script that you saved in your computer. Hacking a website account is illegal unless you are hacking your own account. Not Helpful 76 Helpful The kinds of hacking that are illegal are depending on your specific jurisdiction are "theft of services" or "unauthorized access to a computer system" or "fraud.
0コメント