Strider64 Posted May 21, 2013 Share Posted May 21, 2013 Going through and making sure every thing is secure, I think I found a flaw. There is no need for: if ($_SERVER['REQUEST_METHOD'] == 'POST') for it's redudant and poises a security issue - never trust $_SERVER All you have to do is this: // Validate the form data: if ($form->validate()) { // Check against the database: $query = 'SELECT id, userType, username, email, pass FROM users WHERE username=:username'; $stmt = $pdo->prepare($query); $result = $stmt->execute(array(':username' => $username->getValue())); // Try to fetch the results: if ($result) { $stmt->setFetchMode(PDO::FETCH_CLASS, 'Member'); $user = $stmt->fetch(); $result = false; } // Verify Stored Hashed Password: $result = password_verify($password->getValue(), $user->pass); // Store the user in the session and redirect: if ($result) { // Store in a session: $_SESSION['user'] = $user; // Redirect: header("Location:index.php"); exit; } } // End of form validation IF. I have been testing this thoroughly and it works Link to comment Share on other sites More sharing options...
HartleySan Posted May 21, 2013 Share Posted May 21, 2013 Where's the replacement for "if ($_SERVER['REQUEST_METHOD'] == 'POST')" in your code? Also, what's the security hole associated with using $_SERVER in this case? Link to comment Share on other sites More sharing options...
Recommended Posts