Example:
Database Connect and Filter
//Initialize MySQLi connection
$db = new mysqli($_CONFIG['mysql']['hostname'], $_CONFIG['mysql']['username'], $_CONFIG['mysql']['password'], $_CONFIG['mysql']['database']);
if ($db->connect_errno) {
die("MySQLi error: ".$db->connect_error);
}
//filter injections
function filter($var)
{
global $db;
return $db->real_escape_string(stripslashes(htmlspecialchars($var)));
}
Set cookie after a successful login, check cookie and re-update each time
if(login) {
// after successful login
$cookiehash = md5(sha1($_SESSION['user_id'] . $recentIP));
$db->query('UPDATE users SET loginHash = "'.filter($cookiehash).'" WHERE id = '.filter($_SESSION['user_id']).'') or die(mysqli_error($db));
setcookie("customCookie",$cookiehash,time()+3600*24*365,'/','.'.$_SERVER['HTTP_HOST'].'');
}
// if the cookie is set, update expiration and set session id
CheckCookieLogin() {
global $db;
if (!empty($_COOKIE['customCookie'])) {
$cookie = $_COOKIE['customCookie'];
$query = $db->query('SELECT * FROM users WHERE loginHash = "'.filter($cookie).'"');
if($query->num_rows > 0) {
$_SESSION['user_id'] = 1;
// reset expiry date
setcookie("customCookie",$cookie,time()+3600*24*365,'/','.'.$_SERVER['HTTP_HOST'].'');
}
}
}
Would this still be vulnerable to any sort of injection attack?