aeonsky Posted April 23, 2009 Share Posted April 23, 2009 I have a login script that checks for a correct username and password from a flat-file database. I was using preg_match, but I realized stripos should do the same thing but much faster. And I was wondering if this can be exploited in anyway. I tried a combination of things, but they weren't successful. public function check_login($u, $p) { $p = md5($p); $pos = stripos(file_get_contents($this->users_db), "{$u}:{$p}*"); if($pos !== false) return true; else return false; } Flatfile db <?PHP die(); ?>* lol:9cdfb439c7876e703e307864c9167a15* test:098f6bcd4621d373cade4e832627b4f6* admin:21232f297a57a5a743894a0e4a801fc3* Thanks for the time! Quote Link to comment Share on other sites More sharing options...
alphanumetrix Posted April 23, 2009 Share Posted April 23, 2009 Are you asking if it's safe? I would say probably yes. I would recommend defining a constant in the file you want this flatfile to run through though; then check if the constant isn't defined in the file, and kill the script if it is. That will prevent people from accessing it without your specific script. Script to run though: <?php define ('HeLLoPeOpLzZ', 1); ?> flatfile: <?php if ( !defined('HeLLoPeOpLzZ') ) die (''); ?> I think that's what you intend with the die() function, but I don't really understand how that works in your situation. Quote Link to comment Share on other sites More sharing options...
xtopolis Posted April 23, 2009 Share Posted April 23, 2009 Additionally, store that file in a non WWW accessible directory. Quote Link to comment Share on other sites More sharing options...
aeonsky Posted April 23, 2009 Author Share Posted April 23, 2009 The reason why I asked if it could be exploited, well not exploited, but made things to that it shouldn't is because its not regex (less control). And I just found one... Take this line for example: lol:9cdfb439c7876e703e307864c9167a15* By the way md5("lol") equals "9cdfb439c7876e703e307864c9167a15" If you enter "ol" as username and "lol" as password, you still get entered as user "lol". Can anyone help with a solution (without using regex)? Now that I think about it, it is not terrible that it does that since if there was a user called "ol" he would have a different password anyways. But if they somehow ended up with same passwords, all these users have same privileges. However, I still like for it to somehow be solved. Thank you! Quote Link to comment Share on other sites More sharing options...
laffin Posted April 23, 2009 Share Posted April 23, 2009 its not safe if u understand how strpos works. Use delimeterd around yer strings instead of {$u}:{$p}* use something like \x01{$u}:{$p}* now \x01 will be treated as a special character, CTRL-A, which u shudn be able to enter by keyboard. or ya can use \n which is a newline, which is how lines end in the text file but that means first line, ya either have a comment, or leave it empty Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.