Jerzxu Posted May 15, 2008 Share Posted May 15, 2008 Hello, I am working on my website and I need to know if my login script is secure. session_start(); include("connect.php"); $username = $_POST['username']; $password = $_POST['password']; if ($_POST['username'] == "" || $_POST['password'] == ""){ $_SESSION['Login'] = "None"; header("Location: loginfail.php"); } else { $password = md5($password); $sql = mysql_query("SELECT * FROM `Accounts` WHERE `Username`='$username' AND `Password`='$password'"); if (mysql_num_rows($sql) == 0){ $_SESSION['Login'] = "Incorrect"; header("Location: loginfail.php"); } else { $sql2 = mysql_query("SELECT `Activated` FROM `Accounts` WHERE `Username`='$username'"); $active = mysql_result($sql2,0); if ($active == "No") { $_SESSION['Login'] = "UnAct"; header("Location: loginfail.php"); } else { $_SESSION['Login'] = "Successful"; $_SESSION['username'] = $_POST['username']; header("Location: code.php"); } } } $_POST['username'] and $_POST['password'] come from the login form. If this is not secure, might I get a way to make it more secure. (I was looking into SSL but that didn't help much) Link to comment Share on other sites More sharing options...
cx323 Posted May 16, 2008 Share Posted May 16, 2008 You need to sanitize the user input. You can use something like mysqli or pdo, or if you want to keep it similar to how it already is read about mysql_real_escape_string: http://us.php.net/manual/en/function.mysql-real-escape-string.php Link to comment Share on other sites More sharing options...
Jerzxu Posted May 16, 2008 Author Share Posted May 16, 2008 ahh yes. I will be adding that then. THANK YOU! Link to comment Share on other sites More sharing options...
Jerzxu Posted May 16, 2008 Author Share Posted May 16, 2008 NEVER MIND Fixed it, I think. Link to comment Share on other sites More sharing options...
Jerzxu Posted May 16, 2008 Author Share Posted May 16, 2008 session_start(); include("connect.php"); $username = $_POST['username']; $password = $_POST['password']; if ($_POST['username'] == "" || $_POST['password'] == ""){ $_SESSION['Login'] = "None"; header("Location: loginfail.php"); } else { $password = md5($password); $query = sprintf("SELECT * FROM `Accounts` WHERE `Username`='%s' AND `Password`='%s'", mysql_real_escape_string($username), mysql_real_escape_string($password)); $sql = mysql_query($query); //$sql = mysql_query("SELECT * FROM `Accounts` WHERE `Username`='$username' AND `Password`='$password'"); if (mysql_num_rows($sql) == 0){ $_SESSION['Login'] = "Incorrect"; header("Location: loginfail.php"); } else { $sql2 = mysql_query("SELECT `Activated` FROM `Accounts` WHERE `Username`='$username'"); $active = mysql_result($sql2,0); if ($active == "No") { $_SESSION['Login'] = "UnAct"; header("Location: loginfail.php"); } else { $_SESSION['Login'] = "Successful"; $_SESSION['username'] = $_POST['username']; header("Location: code.php"); } } } Just reassuring, is that correct? Link to comment Share on other sites More sharing options...
947740 Posted May 16, 2008 Share Posted May 16, 2008 I believe you have to set a variable equal to the mysql_real_escape_string(); E.G. $username = mysql_real_escape_string($username); Link to comment Share on other sites More sharing options...
Jerzxu Posted May 17, 2008 Author Share Posted May 17, 2008 On the php.net site for the examples they give they don't have that. Anyone confirm this? Link to comment Share on other sites More sharing options...
947740 Posted May 17, 2008 Share Posted May 17, 2008 EDIT: I did not look at your code right. I did not realize they were in a query. The way you did it should be fine. Link to comment Share on other sites More sharing options...
Jerzxu Posted May 17, 2008 Author Share Posted May 17, 2008 EDIT: I did not look at your code right. I did not realize they were in a query. The way you did it should be fine. Okay thank you! Link to comment Share on other sites More sharing options...
damien@damosworld.com Posted May 19, 2008 Share Posted May 19, 2008 Just be mindful of session hijacking. I see that you are storing the username in the $_SESSION['username'] variable. Make sure that you are not providing information based on this value.. As to my knowledge it is easy enough for somebody to substitute this for another username if they have done prior research. You might be ok, but it is just something to keep in mind http://www.damosworld.com Link to comment Share on other sites More sharing options...
Jerzxu Posted May 19, 2008 Author Share Posted May 19, 2008 Just be mindful of session hijacking. I see that you are storing the username in the $_SESSION['username'] variable. Make sure that you are not providing information based on this value.. As to my knowledge it is easy enough for somebody to substitute this for another username if they have done prior research. You might be ok, but it is just something to keep in mind http://www.damosworld.com How would you stop session hijacking then? Use cookies? Link to comment Share on other sites More sharing options...
947740 Posted May 19, 2008 Share Posted May 19, 2008 I would say that is even easier to hack. You can manually edit cookies in a jiffy. Link to comment Share on other sites More sharing options...
Jerzxu Posted May 19, 2008 Author Share Posted May 19, 2008 I would say that is even easier to hack. You can manually edit cookies in a jiffy. I believe if you use SSL it encodes it tighter so that its harder, except I'm not sure on how to do that exactly. Link to comment Share on other sites More sharing options...
947740 Posted May 19, 2008 Share Posted May 19, 2008 Well, I know nothing about that... :-\ Link to comment Share on other sites More sharing options...
cooldude832 Posted July 21, 2008 Share Posted July 21, 2008 Wow I read this and I'm amazed at how little people know about sessions!!! Sessions are stored SERVER SIDE!!!! UNTOUCHABLE EXCEPT BY THE SERVER They are linked to the end user via a cookie storing the sessionid number which is virtually unhackable. You can not alter session data without having the server do it sure if you wrote this below it would change sessions but thats a stupid example that is never done. <?php session_start(); if(!empty($_GET['user'])){ $_SESSION['Username'] = $_GET['user']; } echo "<form action=\"".$_SERVER['PHP_SELF']."\" method=\"get\">"; echo "<input type=\"text\" name=\"user\" value=\"\" />"; echo "<input type=\"submit\" />"; echo "</form>"; ?> please read about sessions before posting fake "ideas" about em Link to comment Share on other sites More sharing options...
Third_Degree Posted July 21, 2008 Share Posted July 21, 2008 cooldude832: 2 words: Session fixation. But I agree, sessions are usually extremely secure. Anyway, fix the XSS! This makes the session problem even more vulnerable. Use htmlentities, but use it right. So many people don't. print htmlentities( $stuff, ENT_QUOTES ); Link to comment Share on other sites More sharing options...
waynewex Posted July 22, 2008 Share Posted July 22, 2008 If you want to be careful, use the user agent and IP address as a Session identifier. Be careful though as AOL users change IP addresses regularly. This makes it a little bit harder Also, sessions should be okay as long as you dont accept session identifiers via GET or POST variables. Link to comment Share on other sites More sharing options...
waynewex Posted July 22, 2008 Share Posted July 22, 2008 Also, from my experience; it always better to set up some kind of common include file from which to sanitize data with. Maybe even a class if you're able for OOP. This way, you know for a fact that all external data on your website is being taken care of. The problem with using functions such as htmlentities() and mysql_real_escape_string() individually, is that sometimes you might forget to filter one piece of data. And as we all know. One piece of unfiltered data can have the potential to kick you straight in the nads. Focus on security before building any live systems. I never build a system without first thinking of how I am going to make a secure system. Link to comment Share on other sites More sharing options...
olie122333 Posted July 30, 2008 Share Posted July 30, 2008 Try encrypting it on the form page, then encrypt it again on the login page. Link to comment Share on other sites More sharing options...
dlate Posted August 10, 2008 Share Posted August 10, 2008 Wow I read this and I'm amazed at how little people know about sessions!!! Sessions are stored SERVER SIDE!!!! UNTOUCHABLE EXCEPT BY THE SERVER They are linked to the end user via a cookie storing the sessionid number which is virtually unhackable. You can not alter session data without having the server do it sure if you wrote this below it would change sessions but thats a stupid example that is never done. please read about sessions before posting fake "ideas" about em An added note would be to change ur sessionpath if ur working with sessions, yes they are stored on the server, but if ur on a shared hosting account people can target the standard sessionpath and read all the information stored there (c:\windows\temp\). In my experience its better to set the session save handler to a directory outside the siteroot where only u can access it. To increase security for the sessions so no one can hijack ur cookie, u could make a script that would regenerate ur SID every couple of minutes. done with: session_regenerate_id(true); // true: delete old sessiondata, false, leave the old session data. And to keep people logged on for a longer period of time u could make ur session cookie last longer i guess... session_set_cookie_params(1800, '/'); Though im not a big fan of using cookies. Link to comment Share on other sites More sharing options...
Recommended Posts