Security in verifying and validating user with PDO: PHP

0

I want to create a panel with a secure login environment, using the PDO as a form of validation.

To explain, I'm using the IPB forum database, basically I want to take advantage of the same user of the forum and create an environment for the member registered in my forum to access new functions, and here's the code:

database.php

// HOST MYSQL - FORUM IPB
$host_ipb="127.0.0.1";
$db_ipb="forum";
$user_ipb="root";
$userpass_ipb="root";
try {
$con_ipb = new PDO("mysql:host=$host_ipb;dbname=$db_ipb",$user_ipb,$userpass_ipb,array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8"));
} catch(PDOException $e) {
    echo 'ERROR: ' . $e->getMessage();
}

functions.php

function login ($ con_ipb, $ email, $ password) {

/* Verificando o members_pass_salt do email solicitado */
$dados_email=array(':email'=>$email);
$p_query_email = $con_ipb->prepare("SELECT * FROM ipb_core_members WHERE email=:email");
$p_query_email->execute($dados_email);
$usuario_email = $p_query_email->fetchAll(PDO::FETCH_OBJ);

foreach ($usuario_email as $usuario_email2) { 
        $members_pass_salt = $usuario_email2->members_pass_salt;
        }

/* Conversão da senha para members_pass_hash do IPB */
$members_pass_hash = crypt( $senha, '$2a$13$' . $members_pass_salt );  

/* Fazendo checagem de email e senha(members_pass_hash) e autorizando a sessão */
$dados_user_pass=array(':email'=>$email,':members_pass_hash'=>$members_pass_hash);
$p_query_verifica = $con_ipb->prepare("SELECT * FROM ipb_core_members WHERE email=:email and members_pass_hash=:members_pass_hash");
$p_query_verifica->execute($dados_user_pass);
$email_senha = $p_query_verifica->fetch(PDO::FETCH_OBJ);
$error_data = false;
if ($email_senha) {
    ini_set('default_charset','UTF-8');
    $_SESSION["email_senha"]=$email_senha;
    $_SESSION['email'] = $email;
    header("Location:dashboard.html");
        }else{  
    header("Location:error.html");      
        }}

verify.php

require_once('configs/functions.php');
$email = $_POST['email'];
$senha = $_POST['senha'];
echo login($con_ipb, $email, $senha).PHP_EOL;

It is functional, with no errors. My question is whether it is safe to use in a secure environment without SQL injection possibilities.

Thank you!

    
asked by anonymous 09.04.2018 / 03:56

0 answers