Results 1 to 12 of 12

Thread: Authentication script

  1. #1
    Senior Member Kezzer's Avatar
    Join Date
    Sep 2003
    Posts
    4,863
    Thanks
    12
    Thanked
    5 times in 5 posts

    Authentication script

    Tell me if you think it's ok. My PHP isn't so great, for the record, setting the $valid_user record to 1 in the HTTP header won't work as it'll check using the isset() functions and then carry out the else statement in there.

    Code:
    <?php
        session_start();
        if(_$GET['p'] == 'logout') {
    	include('includes/logout.php');
        }
    ?>
    
    <html>
    <head>
    </head>
    
    <body>
    
    <?php
    
    if(!isset($username) || !isset($password)) {
       include('includes/login.php');
       exit();
    }
    
    session_register("username");
    session_register("password");
    
    // database connection here
    
    $sql = mysql_query("SELECT user_table WHERE username == '$username'");
    $fetch = mysql_fetch_array($sql);
    $numrows = mysql_num_rows($sql);
    
    if($numrows != "0" & $password == $fetch["password"]) {
       $valid_user = 1;
    {
    else
    {
       $valid_user = 0;
    }
    
    if(!($valid_user)) {
       session_unset();
       session_destroy();
    
       include('includes/login.php');
       exit();
    }
    else {
       include('includes/content.php');
    }
    ?>
    
    </body>
    </html>
    I've got a lot more work to do yet, i'd prefer to shove this all in function format so it's more OO.

    Cheers

  2. #2
    Seething Cauldron of Hatred TheAnimus's Avatar
    Join Date
    Aug 2005
    Posts
    17,164
    Thanks
    803
    Thanked
    2,152 times in 1,408 posts
    $username = SQL COMMENT, END COMMENT, DROP TABLE *

    haha.

    Get my drift?

    you need validation on the data.

    Also are you intentionally storing the passwords as clear text?

    Also for clarity on your IF statement & should be && with brackets around each term. Makes it easyer to read, and single & might not work how you'd be expecting (logical verses conditional)
    throw new ArgumentException (String, String, Exception)

  3. #3
    Senior Member Kezzer's Avatar
    Join Date
    Sep 2003
    Posts
    4,863
    Thanks
    12
    Thanked
    5 times in 5 posts
    I didn't know PHP had both & as well as &&. I'd prefer some md5 encryption, i'll have to look it up in PHP's API.

    You're saying it's possible to carry out an SQL query through the validation of the username?

  4. #4
    Seething Cauldron of Hatred TheAnimus's Avatar
    Join Date
    Aug 2005
    Posts
    17,164
    Thanks
    803
    Thanked
    2,152 times in 1,408 posts
    MD5(value) returns a MD5 hash of value as string. But because PHP has stupidily ineficent variables. you don't really know if its going to be unicode or not, i belive they fixed that issue (only happened with certain databases).

    Becuase you've no validation of the username right now, it means you can use it to perform SQL injection attacks, i don't consider it neciessery to fully describe the threat (i don't consider such "proof of concept" things as responsible!).

    What you want to do, is make sure that anything, you ever push into a database has been checked to only contain the characters you want (A-Z,a-z,0-9 normally). PHP promotes inheriently insecure code because of the "magic variables" where you have a string, which is parsed for variables.

    As for encryption, a lot of people blindly MD5 hash the passwords, in fact a mate of mine from 6th form was mocking someone we know in the year below because he had written on his site that, whilst the database of passwords was compramised, they are stored in an unreversable fassion. Idoit, p=np is the mathmatical problem which means it can't be reversed, so you simply have a dictionary of common passwords in MD5 format. In about 45 seconds, had managed to pull over half of the users passwords in this fassion.

    As such its important to crypt the password with some other unique information about the user, often this is the first or last two letters of the username. Whilst its still possible to make cypher text dictionaries, it makes it harder if they have to do every combination of passwords for each username.
    throw new ArgumentException (String, String, Exception)

  5. #5
    Senior Member Kezzer's Avatar
    Join Date
    Sep 2003
    Posts
    4,863
    Thanks
    12
    Thanked
    5 times in 5 posts
    Are there any free libs with useful functions to make life easier on me? I can program just fine in the language I write in, but PHP has a lot of differences syntactically and there's no need for me to be writing code that's already been written. I may write my own lib as i'm going to need it anyway. Fortunately it'll only be simple functions such as connecting to the database, logging in and retrieving values. I'll do the simple stuff for now though and then write it later on.

    I need an advanced PHP book I think or some advanced articles on little details that I need to know abou the language. It seems every PHP book i pick up teaches what compound statements / loops and so forth are which it utterly pointless to me.

  6. #6
    Member
    Join Date
    Jun 2004
    Posts
    61
    Thanks
    0
    Thanked
    0 times in 0 posts
    Kezzer,

    As TheAnimus has illustrated, you need to protect your web based application from SQL injection attacks. It's often over looked so I wouldn't be so downtrodden. In a nutshell you need to treat all data obtained from the user as 'tainted' and mitigate any risks that may arise from processing it. One way of protecting your application is to validate all data sent to the web application.

    The first step to protect your login system is to validate the input from the user, in:

    * If you username/password field in the DB is 10 chars long then, then check that what the user has sent 10 characters.
    * If more than 10 characters have been sent, truncate the variable to 10 characters.

    A second way of validating your users input is to check that only alphanumeric characters have been sent. Why would a user need to have SQL code in their username? You could employ something like this in you code:
    Code:
    if (preg_match("/^\w{0,10}$/", $_GET['username'], $matches)) {
    
       $result = mysql_query("SELECT * FROM users WHERE username=$matches[0]");
    }
    Else { 
       echo "Your username contained invalid characters"; 
    }
    A third way would be for you to formulate your SQL queries correctly. I've taken your code as an example and modified to best practices. As a rule of thumb double quotes should surround variable data.
    Code:
    $sql = mysql_query('SELECT user_table WHERE username = "$username"');
    OR
    $sql = mysql_query("SELECT user_table WHERE username = = \"$username\" ");
    (\" is an escape quote....)


    And final to answer you question about functions or libraries to make your life easier, there is one that comes to mind on this... Look up the mysql_real_escape_string()function in the php manual.

    Basically try this:
    Code:
    $result = mysql_query('user_table WHERE username="'.mysql_real_escape_string($_GET['username']).'"');
    The mysql_real_escape_string() basically will prevent anything from being interpreted after the Where clause.

  7. #7
    Senior Member Kezzer's Avatar
    Join Date
    Sep 2003
    Posts
    4,863
    Thanks
    12
    Thanked
    5 times in 5 posts
    Handy. Yes, I am a programmer, pretty much full-time, I just have issues with PHP, I seem to find it hard to grasp as I don't know much about the language.

    When I said a library, I meant one that actually has method implementations which allow you to do useful tasks such as connect and retrieve values etc.

    I'll look up some of those functions in the PHP manual to see where I can get. Like I say, I may create my own library, it'll be a very basic one but at least I can update the function implementation whenever I want.

  8. #8
    Seething Cauldron of Hatred TheAnimus's Avatar
    Join Date
    Aug 2005
    Posts
    17,164
    Thanks
    803
    Thanked
    2,152 times in 1,408 posts
    PHP is a hideous miss match of a language, the result is people love it, its c meets perl. The result is a quick to write (badly) slow to run program, thats inheriently insecure.

    I personally think its best to only allow certain characters, as you should play it safe. Only allow certain characters, and inform the user as such.

    but an easyer way is to use the mysql_real_escape_string function. God i hate PHPs naming convention.
    throw new ArgumentException (String, String, Exception)

  9. #9
    Bigger than Jesus Norky's Avatar
    Join Date
    Feb 2005
    Posts
    1,579
    Thanks
    1
    Thanked
    8 times in 8 posts
    http://robm.me.uk/articles/php-security/

    Very good guide to PHP security, focusing a lot on SQL injection

  10. #10
    Senior Member Kezzer's Avatar
    Join Date
    Sep 2003
    Posts
    4,863
    Thanks
    12
    Thanked
    5 times in 5 posts
    Ah cheers guys, i'll be doing a bit more work on it today so if i get stuck i know where to come

  11. #11
    Gaarrrrr! Dav0s's Avatar
    Join Date
    Aug 2005
    Location
    Bristol
    Posts
    1,442
    Thanks
    1
    Thanked
    3 times in 3 posts
    PHP Security 101

    when adding username/passwords to server use "addslashes"
    for md5 just see code below

    Code:
    VALUES ('". addslashes($username) ."', '". addslashes(md5($password)) ."')
    like i said its basic, but enough to stop basic hackers

    any experts feel free to correct my little bit of code, i dont know much

  12. #12
    Seething Cauldron of Hatred TheAnimus's Avatar
    Join Date
    Aug 2005
    Posts
    17,164
    Thanks
    803
    Thanked
    2,152 times in 1,408 posts
    Quote Originally Posted by Davos
    PHP Security 101
    ...
    PHP Security 101.000000000000000000000000000000000000000000000001
    mysql_real_escape_string() instead of add slashes, as two people have mentioned above.

    PHP Security 102

    don't just blindly MD5 passwords.

    Why? Because otherwise you don't stop dictionary attacks.

    You should produce a hashtext thats based on some other unique information, often this would be the second password or memerable information. Or more tradionally the last two chars of the username.
    throw new ArgumentException (String, String, Exception)

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Worldpay Callback - capture script?
    By IBM in forum Software
    Replies: 3
    Last Post: 18-08-2005, 03:32 PM
  2. Tutorial: The Basics of PHP/MySQL in One Script
    By Durinthiam in forum Software
    Replies: 2
    Last Post: 28-06-2005, 06:52 PM
  3. msn / internet explorer script error
    By grimpy in forum Software
    Replies: 0
    Last Post: 21-05-2005, 07:35 PM
  4. Script to compare number in text files?
    By wasabi in forum Software
    Replies: 5
    Last Post: 09-05-2005, 04:10 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •