Yesterday my site was hacked, the hacker managed to login to the admin area and post a blog which contained a redirect link to his website. So Im asking for a bit of help in making my login secure.
Here is my script:
$username = $_POST['username'];
$password = md5_base64($_POST['password']);
$stmt = $mysqli->prepare("SELECT id, username, password, permission FROM user WHERE username = ? AND password = ?");
$stmt->bind_param('ss', $username, $password);
$stmt->execute();
$stmt->bind_result($userid, $username, $password, $permission);
$stmt->store_result();
if(($numRows = $stmt->num_rows) > 0)
{
$response_array['status'] = "success";
$response_array['message'] = "Logged in";
}
else
{
$response_array['status'] = "error";
$response_array['message'] = "Sorry, Wrong Username/Password Combination" .$password;
}
Heres the md5_base64 function:
function md5_base64 ( $data )
{
return preg_replace('/=+$/','',base64_encode(md5($data,true)));
}
Any help, advice and improvements are greatly appreciated.
