Kamis, 03 Mei 2012

Membuat Anti SQL Injection

Contoh Aplikasi Form Login
Langkah pertama adalah pembuatan database:

Kemudian membuat script php:
Script
1. Public_html /Login _form.php

<!DOCTYPE html>
<head>
<title>form login</title>
</head>
<body>
<form name="login" action="config/login_check.php" method="post">
<table border="1" align="center" bordercolor="#00CCFF">
<tr><td colspan="2"><div align="center">Form Login</div></td></tr>
<tr><td>Username</td><td> : <input type="text" name="username"></td></tr>
<tr><td>Password</td><td> : <input type="password" name="password"></td></tr>
<tr><td colspan="2"><div align="center">
  <input type="submit" value="Login">
</div></td></tr>
</table>
</form>
</body>
</html>

2. public_html/config/login_check.php

<?php
include "../conn.php"; //connection file
function anti_injection($data){
$filter = mysql_real_escape_string(stripslashes(strip_tags(htmlspecialchars($data,ENT_QUOTES))));
return $filter;
}
$username = anti_injection($_POST['username']);
$pass     = anti_injection(md5($_POST['password']));
//make sure the username and password are character or number.
if (!ctype_alnum($username) OR !ctype_alnum($pass)){
echo "Bingo!! sekarang login form telah terlindungi. Tidak ada SQL Injection.";
}
else{
$login=mysql_query("select * from users where username='$username' and password='$pass'
and block='N'");
$found=mysql_num_rows($login);
$r=mysql_fetch_array($login);
//If found the username and password
if ($found > 0){
session_start();
include "timeout.php";
$_SESSION[username]     = $r[username];
$_SESSION[fullname]     = $r[full_name];
$_SESSION[passuser]     = $r[password];
$_SESSION[leveluser]    = $r[level];
// session timeout
$_SESSION[login] = 1;
timer();
$old_sid = session_id();
session_regenerate_id();
$new_sid = session_id();
mysql_query("update users set id_session='$new_sid' where username='$username'");
header('location:../home.php'); //page redirection, after success login
}
else{
echo "<center>LOGIN GAGAL!!<br/>
salah username atau password.<br/>
atau accaunt anda diblokir<br/>";
echo "<a href=../login_form.php><b>Coba Lagi</b></a></center>";
}
}
?>

3. . public_html/config/timeout.php

<?php
session_start();
function timer(){
$time=10000; //set the timer
$_SESSION[timeout]=time()+$time;
}
function login_check(){
$timeout=$_SESSION[timeout];
if(time()<$timeout){
timer();
return true;
}else{
unset($_SESSION[timeout]);
return false;
}
}
?>
4. public_html/config/logout.php
<?php
session_start();
session_destroy();
echo "<center>Anda berhasil Keluar dari sistem.<b>[LOGOUT]</b></center>";
?>

5.public_html/home.php
<?php
session_start();
error_reporting(0);
include "config/timeout.php";
if($_SESSION[login]==1){
if(!login_check()){
$_SESSION[login] = 0;
}
}
if($_SESSION[login]==0){
header('location:login_form.php');
}
else{
if (empty($_SESSION['username']) AND empty($_SESSION['passuser']) AND $_SESSION['login']==0){
"<center>Untuk mengakses halaman ini, login dulu ya!<br/>";
echo "<a href=login_form.php><b>LOGIN</b></a></center>";
}
else{
?>

<!DOCTYPE html>
<head>
<title></title>
<style type="text/css">
<!--
#Layer1 {
            padding:10px;
            width:1000px;
            height:280px;
            background-color: #00CCFF;
}
.style1 {color: #000000}
-->
</style>
</head>
<body>
<div id="Layer1">
  <h1 align="center" class="style1">Selamat Datang </h1>
  <h4 align="center" class="style1">Di Web Ku </h4>
 
  <p align="center"><a href="config/logout.php" target="_parent">logout</a></p>
  <p>&nbsp;</p>
</div>
</body>
</html>
<?php
}
}
?>

6.public_html/conn.php

<?php
$host = "localhost";
$username = "root";
$password = "";
$databasename = "users";
$connection = mysql_connect($host, $username, $password) or die("Kesalahan Koneksi ... !!
");
mysql_select_db($databasename, $connection) or die("Database Error");
?>



Tidak ada komentar:

Posting Komentar

tolong tinggalkan komentar ya! selamat membaca :D