Security concern of custom password protection form

**mtncycling** · 31 Jan 2014, 12:55 AM

I have made a custom form by adding a new header and tpl file. This form is redirected to if certain categories and its containing products are accessed which if so the user is redirected to my custom form that asks for a password. But I had a question on security issues as I don't want to open myself up to sql injections. This is what I have done and it is working perfectly:

1) Altered database to include a extra column in categories called 'pw'. Used the ppc mod from stevish as a base to make the extra field show in admin

2) Tpl file - added the form for the password input

3) Header file for custom form - added code to retrieve the 'pw' that shows as this

Code:

$categories_pw_obj = $db->Execute("SELECT pw FROM " . TABLE_CATEGORIES . " WHERE categories_id=67");
$categories_pw = $categories_pw_obj->fields['pw'];

What my header file does is IF the $user_pw matches the $categories_pw then I have it save both $user_pw and $categories_pw in SESSIONS. With these sessions, my product_info and index headers will see if they match and if so, allow access to those categories and products.

My Concern is mostly on the header file for the custom form I did as I know that versions of ZC after the ppc mod came out uses 'bindvars' in the database pull. But I was wondering, if my form only checks the user input against the password set in admin, is this still open for attacks? Is their anything I should be aware of when doing a form like this to protect my site.

Appreciate any insight.