Just a security question

[whiteboikyle]

Okay so if i had a login form of

Username:__________

Password:__________

[Login]

 

and it went to a process.php

 

and if the login/password matched the query and it stored their session like so

$myusername = $_POST['username'];
$_SESSION['myusername'] = $myusername;

the $_POST['username'] being the value of the username..

and when they go to the main.php and it checks to see if the $_SESSION['myusername'] isset()

 

Could it become they use some sort of main.php?PHPSESSID=theusername

or is that secure?

[Stooney]

You can't change session variables directly via the url, so that's not a problem.  I would suggest not only checking that $_SESSION['myusername'] is set, but also has an expected value. 

 

if(isset($_SESSION['myusername']) && strlen($_SESSION['myusername'])>0){

 

Not necessary, just a suggestion.

[PFMaBiSmAd]

If register_globals are on, under certain conditions you can put -

?myusername=somevalue on the end of the URL and set $_SESSION['myusername'] to whatever somevalue is. This is why register_globals were turned off in php4.2 in the year 2002 and no new code, new books, new tutorials, or new hosting accounts should have been created after that date that relied on register_globals or turned them on.

[jonsjava]

if you want to get paranoid about it, which is never a bad idea when it comes to security, a little more security is to sanitize your POST data before using it in a query, with mysql_real_escape_string().

[whiteboikyle]

if you want to get paranoid about it, which is never a bad idea when it comes to security, a little more security is to sanitize your POST data before using it in a query, with mysql_real_escape_string().

of course i do that but i was just doing a scenario..

 

Now what if you use your config in a function like Global $config

Could that become a problem?

[whiteboikyle]

example

 

Class Process(){
     function __constructor(){
          if(isset($_POST['Login'])){
          $this->Username();
          }
     }
     function Login(){
     global $config;
          $username = $_POST['username'];
     }

}

 

The $config would be

 

Class MySQLDB
{
   var $connection;         //The MySQL database connection

   /* Class constructor */
   function MySQLDB(){
      /* Make connection to database */
      $this->connection = @mysql_connect(*****, *****, *****) or die(mysql_error());
      @mysql_select_db(*****, $this->connection) or die(mysql_error());
}
/**
    * query - Performs the given query on the database and
    * returns the result, which may be false, true or a
    * resource identifier.
    */
//Use this function as query("Query line of code");
   function query($query){
      return mysql_query($query, $this->connection);
   }
};

$config = new MySQLDB;

 

could the global $config become a problem?

[cooldude832]

never ever ever set a session variable via a raw post data value.

 

I could inject any username I want via cURL and in theory be any user I want.

 

 

There is no security difference between GET and POST they are only different in their procedure of passing data

[whiteboikyle]

never ever ever set a session variable via a raw post data value.

 

I could inject any username I want via cURL and in theory be any user I want.

 

 

There is no security difference between GET and POST they are only different in their procedure of passing data

I dont understand what you mean by this..

 

The form for the login would look something like this

 

 

<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="">
<tr>
<form name="form1" method="post" action="process.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="0">
<tr>
<td colspan="4"><div align="center"><strong>Member Login </strong></div></td>
</tr>
<tr>
<td width="68"><div align="right">Username</div></td>
<td width="3">:</td>
<td width="205"><input name="myusername" type="text" id="myusername" value=")pH("></td>
<td width="205">
</td>
</tr>
<tr>
<td><div align="right">Password</div></td>
<td>:</td>
<td><input name="mypassword" type="password" id="mypassword"></td>
<td> </td>
</tr>
<tr>
<td><input name="login" type="hidden" value="1"></td>
<td> </td>
<td><input type="submit" name="Submit" value="Login"></td>
<td> </td>
</tr>
</table>
</td>
</form>
</tr>
</table>

[cooldude832]

$myusername = $_POST['username'];
$_SESSION['myusername'] = $myusername;

 

The session value = the post value that is bad because I can put anything I want in there and it will set that session.

[whiteboikyle]

$myusername = $_POST['username'];
$_SESSION['myusername'] = $myusername;

 

The session value = the post value that is bad because I can put anything I want in there and it will set that session.

 

lol dude listen its a login form..

 

So once you put the username / password it does the mysql_real_escape string and also to checks to see if the username / password match

 

would you like to see the full code?

 

trust me you cant put "anything"

 

this is just an example

[cooldude832]

yup I would cause you shouldn't use the post value u should use the returned mysql row for consistency

[whiteboikyle]

function login(){
global $config;
	ob_start();

	// Define $myusername and $mypassword
	$myusername=$_POST['myusername'];
	$mypassword=$_POST['mypassword'];

	# Allows letters, numbers
	if(!preg_match('/^[a-zA-Z0-9]+$/i', $myusername)) 
	{
	session_register(bad_char);
	$_SESSION['bad_char'] = "<center><font color='red' size='1'>Invalid Charcter; Only Letters Or Numbers Can Be Used!</font></center>";
	header("location:login.php");
	}

	// To protect MySQL injection (more detail about MySQL injection)
	$myusername = stripslashes($myusername);
	$mypassword = stripslashes($mypassword);
	$myusername = mysql_real_escape_string($myusername);
	$mypassword = mysql_real_escape_string($mypassword);
	$myusername = strip_tags($myusername);
	$mypassword = strip_tags($mypassword);
	$encrypt_password = md5($mypassword);
	$query = $config->query("SELECT * FROM members WHERE username='".$myusername."' and password='".$encrypt_password."'");

	// Mysql_num_row is counting table row
	$count=mysql_num_rows($query);
	// If result matched $myusername and $mypassword, table row must be 1 row

	if($count==1){
	// Register $myusernam
	session_register("myusername");
	$_SESSION['myusername'] = $myusername;
	header("location:main.php");
	}
	else {
	session_register(error);
	$_SESSION['error'] = "<center><font color='red' size='4'>Wrong Username or Password</font></center>";
	header("location:login.php");
	}

	ob_end_flush();
}

 

Btw still if the Username/Password dont match it wont make a session

lol

[cooldude832]

session_register is depreciated so don't use it now it is unneeded

 

Also strip tags/stripslashes is unneed if you are running mysql_real_escape

 

 

[The Little Guy]

What I do when a user logs in, is simple:

 

include '../incl/includes.php';
$query = sprintf("SELECT * FROM users WHERE email = '%s' AND password = '%s'", mysql_real_escape_string($_POST['email']), mysql_real_escape_string(md5($_POST['password'])));
$sql = mysql_query($query)or die(mysql_error());
if(mysql_num_rows($sql) > 0){
$row = mysql_fetch_array($sql);
$_SESSION['name'] = $row['name'];
$_SESSION['id'] = $row['id'];
$_SESSION['group'] = $row['group'];
$_SESSION['gender'] = $row['gender'];
$_SESSION['logged'] = TRUE;
}else{
header("Location: /login.php");
exit;
}

 

Notice this line: $_SESSION['logged'] = TRUE;

On all my pages that require a user to be logged in, I just use this code:

 

session_start();
if($_SESSION['logged']){
header("Location: /");
exit;
}

// Place the rest of the HTML/PHP here

 

Hope this helps..

[whiteboikyle]

session_register is depreciated so don't use it now it is unneeded

 

Also strip tags/stripslashes is unneed if you are running mysql_real_escape

 

 

 

How would you register an error then to send back to the last page?

[DarkWater]

You should just process the login form on the same page, in the same PHP file.  By the way, your "Process" class is ridiculously useless, not gonna lie. >_>  You should read up on OOP principles.  There's no point in the class whatsoever, because it just does random things and has no direct task.

[cooldude832]

no registering sessions is not used any more to add to the superglobal array you simply put

<?php
session_start();
$_SESSION['var'] = "Value";
?>

 

instead of

<?php
session_start();
session_register('var');
$_SESSION['var'] = "Value";
?>

 

the registration will produce an error called to undefined function as of php 6.0

[Andy-H]

if(!preg_match('/^[a-zA-Z0-9]+$/i', $myusername))

 

Why not just use

 

if(!ctype_alnum($myusername))

[whiteboikyle]

no registering sessions is not used any more to add to the superglobal array you simply put

<?php
session_start();
$_SESSION['var'] = "Value";
?>

 

instead of

<?php
session_start();
session_register('var');
$_SESSION['var'] = "Value";
?>

 

the registration will produce an error called to undefined function as of php 6.0

 

Well on the next page i go

if(session_is_registered(error)){
echo $_SESSION['error'];
}

 

and Andy-H

 

i will look into the "ctype_alnum"