codeigniter admin login hacked although I have used all security matters

Question

hi friends,

how come have the code before hacked with SQL Injection :(

$query = $this->db->query("SELECT * FROM users WHERE username = ? AND password = ?", array(mysql_real_escape_string($this->input->post('username')), mysql_real_escape_string(MD5($this->input->post('password')))));  

appreciate helps!!

Answer 1

Try using the Active Record Class within the database library of codeigniter. It allows for safer queries, since the values are escaped automatically by the system.

http://codeigniter.com/user_guide/database/active_record.html

Answer 2

You don't need to use mysql_real_escape_string() as CodeIgniter Database driver does that for you. Double escaping your string could well cause some problems.

Answer 3

Use like this for more safer queries:

    $query_username = $this->db->query("SELECT COUNT(username) AS count_username FROM users WHERE username=?", $this->input->post('username'));
$row_username = $query_username->row_array();
if ($row_username['count_username'] > 0) {
  $query_password = $this->db->query("SELECT password FROM users WHERE username=?", $this->input->post('username'));
  $row_password = $query_password->row_array();
  if ($row_password['password'] == MD5($this->input->post('password')) {
    // LOGIN SUCCESS 
  } else {
    // LOGIN FAILED
  }
} else {
  // LOGIN FAILED
}