Jump to content


Photo

Security question, how can this be hacked?


  • Please log in to reply
29 replies to this topic

#21 phil88

phil88
  • Members
  • PipPipPip
  • Advanced Member
  • 111 posts

Posted 29 July 2006 - 02:04 PM

Is that secure or can a user some way manipulate it. As usual, session_start() on each page, and then a check to see if they have the required level to see it. No cookies set afaik, just session variables. When browser closed, they are "logged out". Also, I didn't see a way to set a time limit on sessions like this - is there one? Or is it a php.ini alteration only? As far as I know to date it's secure, but with this topic tackling sessions and their security just now, I thought it would be a good idea to ask about it as well Smiley

Well I guess one way to get around the time issue would be to set a cookie when the session is set, to expire after a certain amount of time. Then on each page you could call a function or something that'd check for the cookie, if the cookie is expired/isn't there, then destroy the session.

#22 tomfmason

tomfmason
  • Staff Alumni
  • Advanced Member
  • 1,696 posts
  • Locationstealing your wifi

Posted 29 July 2006 - 07:35 PM

tomfmason:
I don't understand this line of your code;
$login_match= mysql_result($res, 0, 'login_match');

How can there be a row 0, and what should 'login_match' be if there isn't a field in the database called that?

HeyRay2:

Yes, I was going to use Sessions, but I have a question, how easily can they be modified by the user? I mean, would I need to run some sort of validation on them or could I just do a simple if(isset($_SESSION['logged_in']) to check if the user is logged in? (Assuming I set $_SESSION['logged_in'] when they log in)


You do not need a field in your database called login_match. Just try the code and you will see that it works and processes the login faster then most other login scripts. See my post on the pervious page for the entire script

BusinessMan,
                why do you disagree with the usage of
sprintf()
in the case.



By the way Business man is right about the sessions I would start the session at the very top of the script.

Traveling East in search of instruction, and West to propagate the knowledge I have had gained.

current projects: pokersource

My Blog | My Pastebin | PHP Validation class | Backtrack linux


#23 phil88

phil88
  • Members
  • PipPipPip
  • Advanced Member
  • 111 posts

Posted 30 July 2006 - 09:35 AM

You do not need a field in your database called login_match. Just try the code and you will see that it works and processes the login faster then most other login scripts. See my post on the pervious page for the entire script

I'm sure it does work. I'm just curious as to know how it works and how it would be better than the standard mysql_num_rows way, is that function more resource intensive or something?

#24 tomfmason

tomfmason
  • Staff Alumni
  • Advanced Member
  • 1,696 posts
  • Locationstealing your wifi

Posted 30 July 2006 - 10:04 AM

ok well this is faster manly because of the way that I choose to search the database

$sql= sprintf("SELECT COUNT(*) AS login_match FROM `users` WHERE `username` = '%s' AND `password`= '%s'", $username, $mdpwd);

SELECT COUNT is a faster way of searching a database when counting how many matches you have. If you try to use
mysql_num_rows
with SELECT COUNT then you will always return a value of 1 or a sucessful login. That is the reason I that I use mysql_result

Now I will explain
mysql_result


well here is what the manual says about it

string mysql_result ( resource result, int row [, mixed field] )
result
The result resource that is being evaluated. This result comes from a call to mysql_query().

row
The row number from the result that's being retrieved. Row numbers start at 0.

field
The name or offset of the field being retrieved.

It can be the field's offset, the field's name, or the field's table dot field name (tablename.fieldname). If the column name has been aliased ('select foo as bar from...'), use the alias instead of the column name. If undefined, the first field is retrieved

Good luck,
Tom

Traveling East in search of instruction, and West to propagate the knowledge I have had gained.

current projects: pokersource

My Blog | My Pastebin | PHP Validation class | Backtrack linux


#25 phil88

phil88
  • Members
  • PipPipPip
  • Advanced Member
  • 111 posts

Posted 30 July 2006 - 10:17 AM

So with mysql_result, it'll return 1 if it finds a matching record, but if it doesn't find a matching record, it'll be false?

#26 tomfmason

tomfmason
  • Staff Alumni
  • Advanced Member
  • 1,696 posts
  • Locationstealing your wifi

Posted 30 July 2006 - 10:19 AM

yes it will return 1 for a match and 0 for no match

Traveling East in search of instruction, and West to propagate the knowledge I have had gained.

current projects: pokersource

My Blog | My Pastebin | PHP Validation class | Backtrack linux


#27 phil88

phil88
  • Members
  • PipPipPip
  • Advanced Member
  • 111 posts

Posted 30 July 2006 - 10:22 AM

Ok, thanks for the help. I shall try and incorporate that into what I already have.




I'm still questioning the security of sessions though, so if anyone can explain how secure they are, or point me towards an article or something it would be much appriciated.

#28 tomfmason

tomfmason
  • Staff Alumni
  • Advanced Member
  • 1,696 posts
  • Locationstealing your wifi

Posted 30 July 2006 - 10:47 AM

What are you trying to develop? I am not sure who said it but No matter what you do, if someone wants in they will get in.

Now the most common way to crack a site is by database insertion.

here are two examples these are assumming that you know the username and are trying to by pass the password


' OR 1=1#
an explanation of this example

The first step was to add a single quote, followed by an OR 1=1 condition, which always returns true, and a hash mark (#), which represents an SQL comment making the rest of the statement irrelevant.

another example

' OR ''='

This is basicly the same. execpt that it is used for a different style of login script.

this is why I use
mysql_real_escape_string

Now as far as sessions go. If you are that worried about your site getting cracked (there is a difference between a hacker and a cracker) then I would read up on sessions (maybe some kind of session_hash) cookies and possiblely recording the users ip address.

Also you might want to require a spam key, alot of sites have them at there contact form. If you do all of this you still will not be totaly secure but like Bussiness man said (I think it was him) All you can do is your best and hope to god it is good enough.

Good luck,
Tom

Traveling East in search of instruction, and West to propagate the knowledge I have had gained.

current projects: pokersource

My Blog | My Pastebin | PHP Validation class | Backtrack linux


#29 phil88

phil88
  • Members
  • PipPipPip
  • Advanced Member
  • 111 posts

Posted 30 July 2006 - 10:58 AM

Well at the moment I'm not really developing anything specific, just making various scripts and seeing if I can get in using a webbrowser to places I shouldn't.


Is mysql_real_escape_string a surefire way of preventing all kinds of mysql injections?


Thanks for the tips about session_hash and spam keys, I shall have to read up on them as I've never heard of either of them :P *gets googling*


Edit: I just realised I do know what a spam key is, didn't realise that's what it was called though.

Edit 2: Is session hashing basically, getting the session ID and something unique to the users computer, like IP address, hashing them together, then storing that hash as a session variable, comparing it with a server-stored copy of that hash for that particular user, if the hashes are different then it's been modified?

#30 hackerkts

hackerkts
  • Members
  • PipPipPip
  • Advanced Member
  • 593 posts
  • LocationSingapore
  • Age:18

Posted 30 July 2006 - 11:01 AM

mysql_real_escape_string is not the only way to prevent SQL Injection, you can mix it with other php code like removing all those dangerous tags.

Regards,
hackerkts

To be a coder, you must learn how to think and not to give up so easily.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users