Search the Community

Continuing my posting of security-related functions in this section, I've decided to post this one up. I've posted a basic version of the RegExp previously, to which Psycho gave me some good feedback. Thus, the current function was born: // Define the flags used for validating passwords. define ('SF_VALIDATE_PASS_LOWER', 1); define ('SF_VALIDATE_PASS_UPPER', 2); define ('SF_VALIDATE_PASS_NUMERICAL', 4); define ('SF_VALIDATE_PASS_SPECIAL', ; define ('SF_VALIDATE_PASS_ALL', 15); /** * Validates the password according to the flags and mininum length given. * * Returns true if the password matches the constraints, or false if it fails. * * Default minimum length is 8 characters, and all flags activated. * * @author Christian Fagerheim (Fagerheim Software) * @link www.fagsoft.no * @license Creative Commons Attribution-ShareAlike 3.0. http://creativecommons.org/licenses/by-sa/3.0/. * * @param string $password * @param int[optional] $minLength * @param int[optional] $flags * * @return bool */ function validatePassword ($password, $minLength = 8, $flags = SF_VALIDATE_PASS_ALL) { // Make sure we got a valid minimum length. if (!is_int ($minLength) || $minLength < 0) { trigger_error ('Minimum length must be a positive integer', E_USER_ERROR); } // Create the constraints for the password. $passReg = ''; if ($flags & SF_VALIDATE_PASS_LOWER) { $passReg .= '(?=.*[a-z])'; } if ($flags & SF_VALIDATE_PASS_UPPER) { $passReg .= '(?=.*[A-Z])'; } if ($flags & SF_VALIDATE_PASS_NUMERICAL) { $passReg .= '(?=.*\\d)'; } if (false && $flags & SF_VALIDATE_PASS_SPECIAL) { $special = preg_quote (',.;:"\'!?*(){}[]/^§|#¤%&_=<>@£$€ +-', '/'); $passReg .= "(?=.*[$special])"; } // Add the minimum length requirement. $passReg .= '.{'.$minLength.',}'; // Check that the password matches the constraints, and return a boolean. if (!preg_match ("/^$passReg\\z/u", $password)) { return false; } return $password; }

Hi, i m trying to write a code for resetting password. I want this code to show in on the log in page (and the user should be able to open it without being logged in),,, however the problem i am facing is, whenever i open my recover form thus, localhost/pass.php , my recover form has a field for email and security question, ) it just shows the login page, which is localhost/login.php... i'm stuck on this now for days, and nothing seems to improve... and just to make helping easier, i'm planning to implement a recover function thus: 1. when the user clicks on forgot password on localhost/login.php without already being logged in, it should take them to a page, pass.php (displaying an email and security question)... 2.and when the users enter both( confirm if they exist in the sql table), then redirect to another form reset.php which shows two fields for "Enter new password" and "Confirm password", and when user enters both, his password is updated in the database... Pass.php has a template pass_form.php and reset.php has a template reset_form.phpp //code for pass.php: <?php // configuration require("../includes/config.php"); if ($_SERVER["REQUEST_METHOD"] == "POST") { if (empty($_POST["forgotpassword"])) apologize("Please enter email address."); if (empty($_POST["security"])) apologize("Please enter your security key."); $email = $_POST["forgotpassword"]; if(!(filter_var($email, FILTER_VALIDATE_EMAIL))) apologize("Please enter a valid email such as example@domain.com"); //check if email and securitykey exist in users table $check= query("SELECT id, security FROM users WHERE email = ?", $_POST["forgotpassword"]); if ($check === false) apologize("No such user in database"); render("reset.php", ["title" => "Reset Password", "check" => $check]); } else render("login_form.php", ["title" => "Login"]); ?> 3. another problem is when i log in, and then i open localhost/pass.php, it always keeps on rendering the above template called login_form.php( which is linked to the controller login.php...) instead of displaying the pass_form.php template... /// pass_form.php is as follows: <form action="pass.php" method="post"> <fieldset> <div class="control-group"> <input name="forgotpassword" placeholder="Email" type="text"/> </div> <div class="control-group"> <input name="security" placeholder="Security Keyword" type="text"/> </div> <div class="control-group"> <button type="submit" class="btn">Reset</button> </div> </fieldset> </form> RENDER() is a function as follows function render($template, $values = []) { // if template exists, render it if (file_exists("../templates/$template")) { // extract variables into local scope extract($values); // render header require("../templates/header.php"); // render template require("../templates/$template"); // render footer require("../templates/footer.php"); } // else err else { trigger_error("Invalid template: $template", E_USER_ERROR); }

As a part of a project I'm working on, I just updated an old function of mine. Seeing as a lot of people still keep using time-based[1] techniques for generating password, I thought I should share this one with you all. Hopefully someone will find it useful. /** * Generates and returns a random password, of a random length between min and max. * * Hard limits are minimum 10 chars and maximum 72. * * @author Christian Fagerheim (Fagerheim Software) * @link www.fagsoft.no * @license Creative Commons Attribution-ShareAlike 3.0. http://creativecommons.org/licenses/by-sa/3.0/. * * @param int[optional] $minLen = 10 * @param int[optional] $maxLen = 14 * @return string */ function generatePassword ($minLen = 10, $maxLen = 14) { if ($minLen < 10) { $minLen = 10; } // Discard everything above 72 characters for the password (bcrypt limitation). if ($maxLen > 72) { $maxLen = 72; } $numChars = mt_rand ($minLen, $maxLen); // Create an secure random password, and cut it down to length. $password = base64_encode (mcrypt_create_iv (256, MCRYPT_DEV_URANDOM)); $password = substr ($password, 0, $numChars); // Define the replacements sets and values for strtr (). $find = "10lIO"; $replace = "_-*!?"; // Replace the similar-looking characters with special characters. $password = strtr ($password, $find, $replace); // Save the hashed password in the object, and return it to calling method. return $password; } A copy can be found here: http://pastebin.com/se0YfEx1 [1]Time-based techniques are bad because they are very easy to predict, meaning that an attacked can quite easily guess the generated value as long as he knows the time of a request. Something which completely invalidates the point of having it be random in the first place.

So last week our company decided to migrate our website to a new server and after doing so we noticed one key element has stopped working- our login! php.5.3 apache 2.3.3 The files are the exact same- the SQL database is the exact same- but once the correct login information is input the page just loads to: http://198.154.221.208/login.php?accesscheck=%2Fsubscribers%2Fgetting-started.php instead of http://198.154.221.208/subscribers/getting-started.php We know that it correctly recognizes that the user has permissions because if we enter the incorrect password or just bogus information period- it brings us to the failed login page: http://198.154.221.208/login.php?access=failed So without further adieu, here's the code: <?php require_once('Connections/dbconnec.php'); ?> <?php // *** Validate request to login to this site. if (!isset($_SESSION)) { session_start(); } $loginFormAction = $_SERVER['PHP_SELF']; if (isset($_GET['accesscheck'])) { $_SESSION['PrevUrl'] = $_GET['accesscheck']; } if (isset($_POST['email'])) { $loginUsername=$_POST['email']; $password=$_POST['password']; $MM_fldUserAuthorization = "prilevel_id"; $MM_redirectLoginSuccess = "/subscribers/getting-started.php"; $MM_redirectLoginFailed = "login.php?access=failed"; $MM_redirecttoReferrer = false; mysql_select_db($database_dbconnec, $dbconnec); $LoginRS__query=sprintf("SELECT cust_email, cust_password, prilevel_id, acctexp_date FROM customers WHERE cust_email='%s' AND cust_password='%s' AND acctexp_date >= CURDATE()", get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password)); $LoginRS = mysql_query($LoginRS__query, $dbconnec) or die(mysql_error()); $loginFoundUser = mysql_num_rows($LoginRS); if ($loginFoundUser) { $loginStrGroup = mysql_result($LoginRS,0,'prilevel_id'); //declare two session variables and assign them $_SESSION['MM_Username'] = $loginUsername; $_SESSION['MM_UserGroup'] = $loginStrGroup; if (isset($_SESSION['PrevUrl']) && false) { $MM_redirectLoginSuccess = $_SESSION['PrevUrl']; } header("Location: " . $MM_redirectLoginSuccess ); } else { header("Location: ". $MM_redirectLoginFailed ); } } ?> I'm not really very familiar with PHP or SQL so much as HTML and CSS so this is all still kind of foreign to me- SO I bring it before the community....

Can some tell me how to make this script check for the password before it starts the upload process instead of after the file is uploaded? Some of the files I need uploaded are big and it sucks to wait till the file is uploaded before it tells me that the password was wrong. Thanks for any help you can provide. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <title>ES Simple Uploader</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <meta name="generator" content="handmade" /> <style type="text/css"> <!-- body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; background-color: #DDDDDD; } .cnt { text-align: center; } .cnt_welcome { font-size: 16px; font-weight: bold; text-align: center; } .cnt_powered { font-size: 14px; font-weight: bold; text-align: center; } .cnt_small { font-size: 12px; text-align: center; padding-top: 50px; } .head_line { background-color: #BBBBBB; } .main_table { border: solid 1px #9D9992; font-size: 13px; } h4 { font-size: 12px; color: #DD0000; text-align: center; } .button { border: 1px solid #55555; font-weight: bold; } --> </style> </head> <body> <? include("config.php"); function path_options() { global $upload_dirs; $option = ""; foreach ($upload_dirs as $path => $pinfo) { $option .= '<option value="'.$path.'">'.$pinfo["name"].'</option>'; } return $option; } function check_vals() { global $upload_dirs, $err; if (!ini_get("file_uploads")) { $err .= "HTTP file uploading is blocked in php configuration file (php.ini). Please, contact to server administrator."; return 0; } $pos = strpos(ini_get("disable_functions"), "move_uploaded_file"); if ($pos !== false) { $err .= "PHP function move_uploaded_file is blocked in php configuration file (php.ini). Please, contact to server administrator."; return 0; } if (!isset($_POST["path"]) || (strlen($_POST["path"]) == 0)) { $err .= "Please fill out path"; return 0; } if (!isset($upload_dirs[$_POST["path"]])) { $err .= "Incorrect path"; return 0; } if (!isset($_POST["pwd"]) || (strlen($_POST["pwd"]) == 0)) { $err .= "Please fill out password"; return 0; } elseif ($_POST["pwd"] != $upload_dirs[$_POST["path"]]["password"]) { $err .= "The upload password is incorrect"; return 0; } if (!isset($_FILES["userfile"])) { $err .= "Empty file"; return 0; } elseif (!is_uploaded_file($_FILES['userfile']['tmp_name'])) { $err .= "Empty file"; return 0; } return 1; } $err = ""; $status = 0; if (isset($_POST["upload"])) { if (check_vals()) { if (filesize($_FILES["userfile"]["tmp_name"]) > $max_file_size) $err .= "Maximum file size limit: $max_file_size bytes"; else { if (move_uploaded_file($_FILES["userfile"]["tmp_name"], $upload_dirs[$_POST["path"]]["dir"].$_FILES["userfile"]["name"])) { $status = 1; } else $err .= "There are some errors!"; } } } if (!$status) { if (strlen($err) > 0) echo "<h4>$err</h4>"; } else { echo "<h4>"".$_FILES["userfile"]["name"]."" was successfully uploaded.</h4>"; } ?> <p class="cnt_welcome">Welcome to ES Simple Uploader v 1.1.</p> <p class="cnt">« <a href="http://www.energyscripts.com/Products/product2.html">Back to Product page</a> «</p> <p class="cnt">(Select folder, set it's password, then select a file to upload and click "Upload" button). <br />Note: Folder: "Images folder", Password: "images"; Folder: "Docs", Password: "docs"; Folder: "Common files", Password: "common"; Maximum file size: <?=$max_file_size/1024?> Kb.</p><br /> <form enctype="multipart/form-data" action="index.php" method="POST"> <input type="hidden" name="MAX_FILE_SIZE" value="<?=$max_file_size?>" /> <table class="main_table" align="center"> <tr> <td colspan="2" class="head_line"> </td> </tr> <tr> <td>Folder:</td> <td><select name="path"><?=path_options()?></select></td> </tr> <tr> <td>Password:</td> <td><input type="password" name="pwd" style="width: 217px;" /></td> </tr> <tr> <td>Choose file:</td> <td><input type="file" name="userfile" style="width: 222px;" /></td> </tr> <tr> <td colspan="2" align="right"><input type="submit" name="upload" value="Upload" class="button" /></td> </tr> </table> </form> </p> <p class="cnt_powered">Powered by <a href="http://www.energyscripts.com" target="_blank">EnergyScripts</a></p> <p class="cnt_small">Find more power solution: <a href="http://www.energyscripts.com/Products/product1.html" target="_blank">ES File Upload & Download Manager</a></p> </body> </html>