Today's Posts Follow Us On Twitter! TFL Members on Twitter  
Forum search: Advanced Search  
Navigation
Marketplace
  Members Login:
Lost password?
  Forum Statistics:
Forum Members: 24,254
Total Threads: 80,792
Total Posts: 566,471
There are 279 users currently browsing (tf).
 
  Our Partners:
 
  TalkFreelance     Design and Development     Programming     PHP and MySQL :

php security

Thread title: php security
Closed Thread  
Page 1 of 3 1 2 3 >
    Thread tools Search this thread Display Modes  
06-01-2005, 11:07 PM
#1
derek lapp is offline derek lapp
Status: design rockstar
Join date: Jan 2005
Location: guelph, ontario
Expertise:
Software:
 
Posts: 2,246
iTrader: 0 / 0%
 

derek lapp is on a distinguished road

  Old  php security

Code:
index/login:
<?php

if(isset($_POST['login'])) {

	include 'config.php';
	$username = trim($_POST['username']);
	$password = md5(trim($_POST['password']));
	$query = mysql_query("SELECT * FROM Users WHERE Username = '$username' AND Password = '$password' LIMIT 1")
		or die(mysql_error());
	// now we check if they are activated

	if(mysql_num_rows($query) > 0) {

		$_SESSION['s_logged_n'] = "true";
		$_SESSION['s_username'] = $username;
		setcookie("access", "yes", time()+3600);

		header("Location: member.php");

	} else {

		include 'functions.php';
		writeHeader();
		echo '
		<h1>Vectorthis Login</h1>
		<h2>There was an error processing your login, it appears that your username and/or password was incorrect. Please try again.</h2>

</body>
</html>';

}
?>
Code:
interior pages:
<?php

session_start();
include 'config.php';
if($_SESSION['s_logged_n'] == "true" && $_COOKIE['access']=="yes") {

	do_php_stuff;

} else {

	print "Log-in Jerk";

}

?>
I'm pretty sure that's not very secure.

I've just read a little bit abou SQL injection, and for public fields/forms I'm writing soem functions that will stirp away any illegal aharcaters that could interfere with the queries, but 'm really concerned with behind the scenes stuff that I don't want unathorized people to see.

I can set sessions/cookies, but I hear session highjacking and stuff like that is pretty easy which makes me concerned with my own security.

Is there anything else I can do to prevent unauthorized userers from viewing pages? I'm not very good with classes, so I don't have much beyond this. I might be able to understand them if I looked at them, but I don't know if I'd understand it well enough to manipulate itor create my own, and I haven't really seen anything else dealign with this issue.

06-02-2005, 12:14 AM
#2
FiveInteractive is offline FiveInteractive
Status: Request a custom title
Join date: Jan 2005
Location: UK
Expertise:
Software:
 
Posts: 1,216
iTrader: 0 / 0%
 

FiveInteractive is on a distinguished road

Send a message via AIM to FiveInteractive Send a message via MSN to FiveInteractive

  Old

Looks like we're waiting for Freddy or Travis for this one

06-02-2005, 07:56 AM
#3
Koobi is offline Koobi
Koobi's Avatar
Status: Member
Join date: Apr 2005
Location:
Expertise:
Software:
 
Posts: 312
iTrader: 0 / 0%
 

Koobi is on a distinguished road

  Old

hmm I would usually do this to check if the form is submitted:
if('Login' === $_POST['login'])
That assumes the value attribute of the button is 'Login'. That simply checks if $_POST['login'] contains the value 'Login' as a string.

Also, since the config.php file is a vital component here, you should either use require instead of include or do this:
PHP Code:
<?php
    
if(!include 'config.php')
    {
        die(
'Internal error blah blah');
    }
?>

You might also want to apply strip_tags() to the username




This is the function I use to escape all illegal characters from an SQL query:
PHP Code:
function koobi_escapeSql($badQuery$inOut TRUE)

{

    switch(
$inOut)

    {

        case 
TRUE:

                
$badQuery = (!get_magic_quotes_gpc()) ? addslashes($badQuery) : $badQuery;

                
$badQuery = (!is_numeric($badQuery)) ? "'" mysql_real_escape_string($badQuery) . "'" $badQuery;

            break;



        case 
FALSE:

                
$badQuery = (get_magic_quotes_gpc()) ? stripslashes($badQuery) : $badQuery;

            break;

    }

    return 
$badQuery;


(if the syntax above seems unfamiliar to you, look up the Ternary Operator)


Example usage:
FOR INPUT
PHP Code:
$myQuery '    INSERT INTO myPrefix_myTable
            SET username=' 
koobi_escapeSql($_POST['username']); 

FOR OUTPUT
PHP Code:
$myQuery '    SELECT *
            FROM myPrefix_myTable
            WHERE username=' 
koobi_escapeSql($_POST['username'], false); 
Note that in my function, I check for get_magic_quotes_gpc() so if you entered the info into the db when php.ini had the magic quotes off and extracted it after someone decided to turn it on or vice versa, your output will have extra/no slashes so watch out for that.



If you get the 'headers already sent' error, look up output buffering (ob_start()) what that does is, it buffers all the data, sends the headers first and then sends the output text.



I could just type everything out again but I'm lazy so I will link you to another thread on another board...hope it's not a problem with the mods, if it is, then please remove this link:
http://www.phpfreaks.com/forums/inde...dpost&p=238670





:edit:
About session hijacking, you might as well search google. Don't get me wrong here but a tutorial you'd find on google will probably explain it a lot better, with more detail with hardly anything left out since it will be written after careful consideration and not just some forum post
http://www.google.com/search?hl=en&l...hp&btnG=Search



Also, I would advice you to create a db abstraction layer and even a session class if you're familiar with OOP. It will make things very easy for you and remember in OOP, planning your code before you write it is perhaps the most important thing.

06-02-2005, 09:43 AM
#4
opserty is offline opserty
Status: I love this place
Join date: Jan 2005
Location: UK, Birmingham
Expertise:
Software:
 
Posts: 606
iTrader: 0 / 0%
 

opserty is on a distinguished road

Send a message via MSN to opserty

  Old

Originally Posted by Koobi
It will make things very easy for you and remember in OOP, planning your code before you write it is perhaps the most important thing.
Oops (get it hhah ) I've already got it wrong, nice post.

Found these to links, had a look at the first one but not the second maybe help.

http://shiflett.org/php-security.pdf
http://www.phpwact.org/security/web_...ation_security

06-02-2005, 05:00 PM
#5
derek lapp is offline derek lapp
Status: design rockstar
Join date: Jan 2005
Location: guelph, ontario
Expertise:
Software:
 
Posts: 2,246
iTrader: 0 / 0%
 

derek lapp is on a distinguished road

  Old

thanks koob! I saw a thread with your intpu at TR42 but once the classes came out, i got totally lost. I'm having trouble wrapping my head around OOP. It's been a while since I looked at objects so I should ht my books again to remember how they work.

thanks for the advice.

06-02-2005, 10:05 PM
#6
Koobi is offline Koobi
Koobi's Avatar
Status: Member
Join date: Apr 2005
Location:
Expertise:
Software:
 
Posts: 312
iTrader: 0 / 0%
 

Koobi is on a distinguished road

  Old

Sure thing. I'm also slowly relearning OOP so if you have anything you want to know, let me know on this forum

06-03-2005, 02:08 PM
#7
Travis is offline Travis
Status: Member
Join date: Jul 2004
Location:
Expertise:
Software:
 
Posts: 445
iTrader: 0 / 0%
 

Travis is on a distinguished road

  Old

A fair bit of advice has been given and the first link given by opserty had a fair bit of useful information.

I will just add a couple more comments which are a little more trivial but may help. Firstly make users enter passwords of > 8 characters. This would take a computer years to crack if it did not know the algorithm. Something of 6 characters can be hacked in a under 30 minutes if I remember correctly.

Also if you want to try and stop a computer to keep trying to access a system you can implement a 3 strikes and the users account would be locked out for x time. Another wrong try and the time would increase and then verify that the person is who they say to get it unlocked. Probably only for things that need a fair bit of additional security.

Banks sometimes use a grid system where a user has to enter the letter they see in a grid and the session is created from this making it harder to decipher the algorithm for sessions. Some European banks also now send an sms message to your phone to enter so it is more random. Probably only worth considering for your average application (or most apps on the net unless it is on like a bank scale).

Also I read some where that md5 can now be hacked even though it is meant to be one way encryption (or hashing) but I haven't seen any thing more about this so it is probably safe to use that for now for your passwords but more may be needed to be done in the future.

As far as sql injection goes I thought it was fully protected so that you cannot alter sql queries based on the user input (well if it isn't the way I have coded has always prevented this) you can easily test if your code is vunerable to sql injection attacks though. Striping html tags is good practice so long as you dont require your client to enter html. If they do you can make exceptions for these.

I suppose you should always make sure not only what you program is secure but make sure that the web server and mysql is secure.

06-03-2005, 10:31 PM
#8
Koobi is offline Koobi
Koobi's Avatar
Status: Member
Join date: Apr 2005
Location:
Expertise:
Software:
 
Posts: 312
iTrader: 0 / 0%
 

Koobi is on a distinguished road

  Old

Good tips there, especially about the password length

md5 has been cracked now with some tools apparently, so has sha1. In any case, sha1 is a better choice than md5.
Since md5 and sha1 are one way hashes, this is probably done with brute force.
I guess it's time for some other form of encryption..like blowfish or somehting like that..but if you're lazy like me :P, you can just use a combination of sha1() and md5() with a secret salt just to make it harder to crack, but not impossible.
Another thing you could do is use SQL's SET PASSWORD syntax.

And the deal with SQL injection is more about quotes and the equal sign.
Here's some links I found on google:
http://www.unixwiz.net/techtips/sql-injection.html
http://www.securiteam.com/securityre...DP0N1P76E.html





:edit:
Another thing, on MANY sites, I often see users including pages for navigation. Just make sure you use file_exists() to double check if the file exists before actually including it...otherwise, a user with malicious intent can include a remote file (remote files can only be included depending on your php.ini settings) that echo's your system password, then you're fried heh heh

06-04-2005, 03:28 AM
#9
Travis is offline Travis
Status: Member
Join date: Jul 2004
Location:
Expertise:
Software:
 
Posts: 445
iTrader: 0 / 0%
 

Travis is on a distinguished road

  Old

In regards to the page about sql injection I wouldn't be so sure what they are saying is true. Take their example:

SELECT fieldlist
FROM table
WHERE field = 'steve@unixwiz.net'';

That extra quote is interperated differently by mysql to prevent this from happening so only things where any thing between the quotes the programmer entered. The only way I can see this happening is if the programmer initially generates a string in another variable then executes the query it may cause and error eg:

PHP Code:
$query "SELECT fieldlist 
              FROM table 
              WHERE field = '
$email'";
mysql_query($query); 
I am pretty sure if it is done like this you don't have to worry about going through all the stuff it says on that page:

PHP Code:
mysql_query("SELECT fieldlist 
                   FROM table 
                   WHERE field = '
$email'"); 
Try it yourself. I might try this just to make sure I am right as well.

I think that included files can be solved by setting the permissions to the included files so that only the server can access them? I think maybe the php.ini is setup initially so that this cannot happen. It's just a matter of figuring out how your host is set up really.

06-04-2005, 04:04 AM
#10
Travis is offline Travis
Status: Member
Join date: Jul 2004
Location:
Expertise:
Software:
 
Posts: 445
iTrader: 0 / 0%
 

Travis is on a distinguished road

  Old

Ah I just tried it... php automatically adds escape characters to quotes hence I don't really see how sql injection attacks occur (maybe this was only an old problem which was not considered in earlier versions of php)

Closed Thread  
Page 1 of 3 1 2 3 >


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

  Posting Rules  
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump:
 
  Contains New Posts Forum Contains New Posts   Contains No New Posts Forum Contains No New Posts   A Closed Forum Forum is Closed