Jump to content


Photo

Php Logs In With Incorrect User/pass


  • Please log in to reply
8 replies to this topic

#1 devilsvein

devilsvein

    Advanced Member

  • Members
  • PipPipPip
  • 51 posts
  • LocationLondon, England
  • Age:16

Posted 30 December 2012 - 03:46 PM

Have a issue which I've put a temporary patch on to prevent unauthorized access. But I still want to know why this is happening :(

Basically my "check" system on login checks the username and password of that typed in. If theres no match it should read out a error message and prevent any more attacks. But what I've found out is....if the passwords "hello123" and you type "hello12" it redirects you to the loggedinpage.....which is wrong.

login page extract:

$username = htmlentities($_POST['username']);
$username = mysqli_real_escape_string($mysqli, $username);
$password =mysqli_real_escape_string ($mysqli, $_POST['password']);
$query = mysqli_query($mysqli, "SELECT * FROM Persons WHERE Username = '$username'");
$row = mysqli_fetch_assoc($query);
$numrows = mysqli_num_rows($query);
$dbuser = $row['Username'];
$dbpass = $row['Password'];
$email = $row['Email'];
$_SESSION['login'] = false ;
$salt1 = $dbuser;
$salt2 = $email;
$hash = hash('sha512' , $salt1.$password.$salt2);
$id = $row['PlayerID'];
if( ($username == '') || ($password == '') ) {
$error_string .= '<font color=red>You have left either the username or password field blank!</font>';
$_SESSION['login'] = false ;
}
else if ($numrows == 1)
{
if ($hash == $dbpass)
{
//$error_string .= 'Authentication succeeded';
$_SESSION['login'] = true ;
$_SESSION['username'] = $username;
$_SESSION['email'] = $email;
$_SESSION['ID'] = $id;

header("Location: loggedin.php");


} else {
$error_string .= '<font color=red>Authentication failed</font>';
$_SESSION['login'] = false ;
}



}
else
{
$error_string .= '<font color=red>Authentication failed</font>';
$_SESSION['login'] = false ;

}
}

So what I have done is on loggedin.php ive placed now


if (empty($_SESSION['username']) || empty($_SESSION['email']) || empty($_SESSION['ID']) || $_SESSION['login'] = false)
{
session_destroy();
header('location: login.php');
die();
}


So why on earth is login page saying details are correct when there not :( because if you still type in the wrong password by one letter it redirects you to loggedin.php but as that code is there in loggedin.php it prevents anyone from accessing.

Edited by devilsvein, 30 December 2012 - 03:48 PM.


#2 wotw

wotw

    Member

  • Members
  • PipPip
  • 10 posts

Posted 30 December 2012 - 04:57 PM

Hey,

I have written you something that you could incorporate into your script. I basically wrote this with my eyes closed and I haven't tested it. If you get issues let me know and I can help.

You need to add a hidden input into your login form and call it: login & give it a value of 1.
You would also need to implement your password encoding where it says: Do your password encoding.

<?php

$case = isset($_POST['login']) ? 'login' : false;
$error = false;
switch($case){

case'login':

  $username = isset($_POST['username']) ? mysqli_real_escape_string($mysqli, $_POST['username']) : false;
  $password = isset($_POST['password']) ? mysqli_real_escape_string($mysqli, $_POST['password']) : false;
 
  if($username && $password){
  
   // Do your password encoding here. $password = ?
  
   $query = mysqli_query($mysqli, "SELECT * FROM Persons WHERE Username = '$username' AND password = '$password'");
   $numrows = mysqli_num_rows($query);
  
   if($numrows > 0){
   
    $row = mysqli_fetch_assoc($query);
   
    // Set sessions
    $_SESSION['login'] = true;
    $_SESSION['ID'] = $row['PlayerID'];
    $_SESSION['username'] = $row['Username'];
    $_SESSION['email'] = $row['Email'];
   
    // Redirect
    header("Location: loggedin.php");
   
   }else{
   
    $error = true;
   }
  }else{
  
   $error = true;
  }
break;
}
if($error){

echo '<font color=red>Authentication failed</font>';
}
echo 'Display login form here';
?>


#3 cpd

cpd

    ¬_¬

  • Members
  • PipPipPip
  • 881 posts
  • LocationLondon, UK

Posted 30 December 2012 - 06:23 PM

@wotw - Why have you used a switch statement with a single case? An if statement is a better control flow statement to use and you've actually done that hen setting the $case variable.

I wouldn't real_escape the password either. Just hash it using an appropriate method (suggest PHPass) and query the database with it.
"Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it."

"One of my most productive days was throwing away 1000 lines of code."

#4 devilsvein

devilsvein

    Advanced Member

  • Members
  • PipPipPip
  • 51 posts
  • LocationLondon, England
  • Age:16

Posted 30 December 2012 - 07:19 PM

Thanks for the feedback. I took the password escape out. But I want to know why I can login with a incorrect password on my site.

#5 Christian F.

Christian F.

    Advanced Member

  • Staff Alumni
  • 3,106 posts
  • LocationNorway

Posted 30 December 2012 - 07:46 PM

I suspect it has something to do with the escaping you've done, which potentially have altered the username and/or password. Also, without knowing how your registration code looks like, we're pretty much just guessing.

In any case, I would recommend you to read the following two articles:
http://michaelwright...assword-storage
http://www.openwall....Users-Passwords

(You too, wotw.)
Keeping it simple.

#6 Pikachu2000

Pikachu2000

    I hate everything.

  • Staff Alumni
  • 11,378 posts
  • LocationFuture Independent Republic of Texas
  • Age:106

Posted 30 December 2012 - 08:20 PM

Since this --> if ($hash == $dbpass) is the condition in the code above that causes $_SESSION['login'] to be set to TRUE, have you echoed $hash and $dbpass and compared them? If they match when a wrong password is entered, then you need to figure out why. If they don't match, and $_SESSION['login'] is still set to TRUE, you need to figure out why that's happening. That would be where I'd start anyhow.
"Java" is to "Javascript" about the same as "fun" is to "funeral".

Why $_SERVER['PHP_SELF'] is bad. || Why ORDER BY RAND() is bad || Every problem can be solved with rm -rf *

Random Quote: "

#7 wotw

wotw

    Member

  • Members
  • PipPip
  • 10 posts

Posted 30 December 2012 - 09:03 PM

I know all this. I used a switch because I normnally use a switch to do a password forgotten case and register.

Here is a quick secure class I wrote which you can use to secure your password:

<?php
class secure{

## GET A RANDOM SALT
function secure_random_salt(){
$randtext = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890';

$varlen = rand(5, 20);
$randtextlen = strlen($randtext);
$salt = '';

for($i = 0; $i < $varlen; $i++){

$salt .= substr($randtext,rand(1,$randtextlen),1);
}

return $salt;
}


## ENCODES PASSWORD
function secure_encode_password($password, $salt = ''){
if($salt == ''){

$salt = $this->secure_random_salt();
}

	 return md5($password.$salt).':'.$salt;
}


## CHECK PASSWORDS MATCHES
function secure_check_password($password, $db_password){

$explode = explode(':', $db_password);
if(isset($explode[1])){

if($this->secure_encode_password($password, $explode[1]) == $db_password){

return true;
}else{

return false;
}
}else{

return false;
}
}
}
$secure = new secure;
?>

Simply including the class file and do this to create your password string.


// There is more to this class but I have cut it down. You could create a new function which will secure the posted values like the guys mention above.

$insert_password = $secure->secure_encode_password($password); // Password to insert into the db.

// And to check if the password is the same when they post it:


// $db_password is the actual password from the database.
// $password is the password posted from the login form.

if($secure->secure_check_password($password, $db_password)){
// Log the user in. $_SESSION etc..
}

Edited by wotw, 30 December 2012 - 09:06 PM.


#8 Christian F.

Christian F.

    Advanced Member

  • Staff Alumni
  • 3,106 posts
  • LocationNorway

Posted 30 December 2012 - 10:16 PM

return md5($password.$salt).':'.$salt;
Unfortunately, that's not secure. For more information, I recommend watching this video by Anthony Ferrara.
Keeping it simple.

#9 devilsvein

devilsvein

    Advanced Member

  • Members
  • PipPipPip
  • 51 posts
  • LocationLondon, England
  • Age:16

Posted 31 December 2012 - 02:47 PM

I found the issue. It was a code which wasn't shown.

i had a snipet at the top of the page which was poorly designed.

It was suppose to redirect if the user was already logged in...but ws just logging in for the fun of it.... :(

Thanks for your time and help




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Cheap Linux VPS from $5
SSD Storage, 30 day Guarantee
1 TB of BW, 100% Network Uptime

AlphaBit.com