Jump to content

Just a security question

whiteboikyle

By whiteboikyle
in PHP Coding Help

 Share

Recommended Posts

whiteboikyle Regular Member

whiteboikyle

Posted
Posted

Okay so if i had a login form of

Username:__________

Password:__________

[Login]

 

and it went to a process.php

 

and if the login/password matched the query and it stored their session like so

$myusername = $_POST['username'];
$_SESSION['myusername'] = $myusername;

the $_POST['username'] being the value of the username..

and when they go to the main.php and it checks to see if the $_SESSION['myusername'] isset()

 

Could it become they use some sort of main.php?PHPSESSID=theusername

or is that secure?

Link to comment
Share on other sites
Stooney Advanced Member

Stooney

Posted
Posted

You can't change session variables directly via the url, so that's not a problem.  I would suggest not only checking that $_SESSION['myusername'] is set, but also has an expected value. 

 

if(isset($_SESSION['myusername']) && strlen($_SESSION['myusername'])>0){

 

Not necessary, just a suggestion.

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

If register_globals are on, under certain conditions you can put -

?myusername=somevalue on the end of the URL and set $_SESSION['myusername'] to whatever somevalue is. This is why register_globals were turned off in php4.2 in the year 2002 and no new code, new books, new tutorials, or new hosting accounts should have been created after that date that relied on register_globals or turned them on.

Link to comment
Share on other sites
whiteboikyle Regular Member

whiteboikyle

Posted
  • Author
Posted

if you want to get paranoid about it, which is never a bad idea when it comes to security, a little more security is to sanitize your POST data before using it in a query, with mysql_real_escape_string().

of course i do that but i was just doing a scenario..

 

Now what if you use your config in a function like Global $config

Could that become a problem?

Link to comment
Share on other sites
whiteboikyle Regular Member

whiteboikyle

Posted
  • Author
Posted

example

 

Class Process(){
     function __constructor(){
          if(isset($_POST['Login'])){
          $this->Username();
          }
     }
     function Login(){
     global $config;
          $username = $_POST['username'];
     }

}

 

The $config would be

 

Class MySQLDB
{
   var $connection;         //The MySQL database connection

   /* Class constructor */
   function MySQLDB(){
      /* Make connection to database */
      $this->connection = @mysql_connect(*****, *****, *****) or die(mysql_error());
      @mysql_select_db(*****, $this->connection) or die(mysql_error());
}
/**
    * query - Performs the given query on the database and
    * returns the result, which may be false, true or a
    * resource identifier.
    */
//Use this function as query("Query line of code");
   function query($query){
      return mysql_query($query, $this->connection);
   }
};

$config = new MySQLDB;

 

could the global $config become a problem?

Link to comment
Share on other sites
whiteboikyle Regular Member

whiteboikyle

Posted
  • Author
Posted

never ever ever set a session variable via a raw post data value.

 

I could inject any username I want via cURL and in theory be any user I want.

 

 

There is no security difference between GET and POST they are only different in their procedure of passing data

I dont understand what you mean by this..

 

The form for the login would look something like this

 

 

<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="">
<tr>
<form name="form1" method="post" action="process.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="0">
<tr>
<td colspan="4"><div align="center"><strong>Member Login </strong></div></td>
</tr>
<tr>
<td width="68"><div align="right">Username</div></td>
<td width="3">:</td>
<td width="205"><input name="myusername" type="text" id="myusername" value=")pH("></td>
<td width="205">
</td>
</tr>
<tr>
<td><div align="right">Password</div></td>
<td>:</td>
<td><input name="mypassword" type="password" id="mypassword"></td>
<td> </td>
</tr>
<tr>
<td><input name="login" type="hidden" value="1"></td>
<td> </td>
<td><input type="submit" name="Submit" value="Login"></td>
<td> </td>
</tr>
</table>
</td>
</form>
</tr>
</table>

Link to comment
Share on other sites
whiteboikyle Regular Member

whiteboikyle

Posted
  • Author
Posted 

$myusername = $_POST['username'];
$_SESSION['myusername'] = $myusername;

 

The session value = the post value that is bad because I can put anything I want in there and it will set that session.

 

lol dude listen its a login form..

 

So once you put the username / password it does the mysql_real_escape string and also to checks to see if the username / password match

 

would you like to see the full code?

 

trust me you cant put "anything"

 

this is just an example

Link to comment
Share on other sites
whiteboikyle Regular Member

whiteboikyle

Posted
  • Author
Posted 

function login(){
global $config;
	ob_start();

	// Define $myusername and $mypassword
	$myusername=$_POST['myusername'];
	$mypassword=$_POST['mypassword'];

	# Allows letters, numbers
	if(!preg_match('/^[a-zA-Z0-9]+$/i', $myusername)) 
	{
	session_register(bad_char);
	$_SESSION['bad_char'] = "<center><font color='red' size='1'>Invalid Charcter; Only Letters Or Numbers Can Be Used!</font></center>";
	header("location:login.php");
	}

	// To protect MySQL injection (more detail about MySQL injection)
	$myusername = stripslashes($myusername);
	$mypassword = stripslashes($mypassword);
	$myusername = mysql_real_escape_string($myusername);
	$mypassword = mysql_real_escape_string($mypassword);
	$myusername = strip_tags($myusername);
	$mypassword = strip_tags($mypassword);
	$encrypt_password = md5($mypassword);
	$query = $config->query("SELECT * FROM members WHERE username='".$myusername."' and password='".$encrypt_password."'");

	// Mysql_num_row is counting table row
	$count=mysql_num_rows($query);
	// If result matched $myusername and $mypassword, table row must be 1 row

	if($count==1){
	// Register $myusernam
	session_register("myusername");
	$_SESSION['myusername'] = $myusername;
	header("location:main.php");
	}
	else {
	session_register(error);
	$_SESSION['error'] = "<center><font color='red' size='4'>Wrong Username or Password</font></center>";
	header("location:login.php");
	}

	ob_end_flush();
}

 

Btw still if the Username/Password dont match it wont make a session ;)

lol

Link to comment
Share on other sites
The Little Guy Prolific Member

The Little Guy

Posted
Posted

What I do when a user logs in, is simple:

 

include '../incl/includes.php';
$query = sprintf("SELECT * FROM users WHERE email = '%s' AND password = '%s'", mysql_real_escape_string($_POST['email']), mysql_real_escape_string(md5($_POST['password'])));
$sql = mysql_query($query)or die(mysql_error());
if(mysql_num_rows($sql) > 0){
$row = mysql_fetch_array($sql);
$_SESSION['name'] = $row['name'];
$_SESSION['id'] = $row['id'];
$_SESSION['group'] = $row['group'];
$_SESSION['gender'] = $row['gender'];
$_SESSION['logged'] = TRUE;
}else{
header("Location: /login.php");
exit;
}

 

Notice this line: $_SESSION['logged'] = TRUE;

On all my pages that require a user to be logged in, I just use this code:

 

session_start();
if($_SESSION['logged']){
header("Location: /");
exit;
}

// Place the rest of the HTML/PHP here

 

Hope this helps..

Link to comment
Share on other sites
DarkWater Member

DarkWater

Posted
Posted

You should just process the login form on the same page, in the same PHP file.  By the way, your "Process" class is ridiculously useless, not gonna lie. >_>  You should read up on OOP principles.  There's no point in the class whatsoever, because it just does random things and has no direct task.

Link to comment
Share on other sites
cooldude832 Advanced Member

cooldude832

Posted
Posted

no registering sessions is not used any more to add to the superglobal array you simply put

<?php
session_start();
$_SESSION['var'] = "Value";
?>

 

instead of

<?php
session_start();
session_register('var');
$_SESSION['var'] = "Value";
?>

 

the registration will produce an error called to undefined function as of php 6.0

Link to comment
Share on other sites
whiteboikyle Regular Member

whiteboikyle

Posted
  • Author
Posted

no registering sessions is not used any more to add to the superglobal array you simply put

<?php
session_start();
$_SESSION['var'] = "Value";
?>

 

instead of

<?php
session_start();
session_register('var');
$_SESSION['var'] = "Value";
?>

 

the registration will produce an error called to undefined function as of php 6.0

 

Well on the next page i go 

if(session_is_registered(error)){
echo $_SESSION['error'];
}

 

and Andy-H

 

i will look into the "ctype_alnum"

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.