condoravenue Posted December 4, 2010 Share Posted December 4, 2010 http://breckenridge-snow-report.com/test2 I am new to php and mySQL. This site doesn't have a purpose yet; it only creates an account and lets you manage it. I have a few questions. 1. Could a spammer get into the all the emails? 2. Could someone figure out a user's username and password? 3. If the password field was instead credit card info, would it be safe too? 4. Could robots or something find a way to create fake accounts on this? If you think that it is 0% secure and there are hundreds of problems... see this simpler version, and critique it: http://breckenridge-snow-report.com/test Thanks for the help. Link to comment Share on other sites More sharing options...
QuickOldCar Posted December 4, 2010 Share Posted December 4, 2010 Seems to work fine. Just a heads up, you wrote sing up instead of sign up Link to comment Share on other sites More sharing options...
Pikachu2000 Posted December 4, 2010 Share Posted December 4, 2010 You need to add some form field validation; currently there is none. Link to comment Share on other sites More sharing options...
Zurev Posted December 4, 2010 Share Posted December 4, 2010 You need to add some form field validation; currently there is none. As Pikachu said, far from information being validated, I didn't check most of the stuff, except it accepted literally anything for an email address, look up how to use preg_match to verify an email address, I'm unsure if it lets you enter different passwords, I assume not. Hard to tell if it's really secure with just a registration/login, once you've developed more it will be easier. As far as sql injection it passed the OR 1 test Link to comment Share on other sites More sharing options...
ignace Posted December 4, 2010 Share Posted December 4, 2010 As far as sql injection it passed the OR 1 test Try that again but this time use: ' qsdf It will show you: mysql_num_rows(): supplied argument is not a valid MySQL result resource Which means the query was invalid and mysql_query() returned false. It also means there is no validation on the result between the query part and mysql_num_rows() part. To the OP: I didn't hack your website or caused any damage I merely entered some information of which I know MySQL won't execute. Link to comment Share on other sites More sharing options...
condoravenue Posted December 4, 2010 Author Share Posted December 4, 2010 "I didn't check most of the stuff, except it accepted literally anything for an email address" I did not put an email validator in yet. I am currently primarily concerned with how secure is private data people give me. There are several other validations in there. the 2 passwords have to be the same. The username has to be a certain length, and password has to be >= 8 in length. It checks username availability too. I can add something simple to check the validity of email too. So my concerns are: 1. Could a spammer get into the all the emails? 2. Could someone figure out a user's username and password? 3. If the password field was instead credit card info, would it be safe too? The fourth is slightly less important. 4. Could robots or something find a way to create fake accounts on this? Link to comment Share on other sites More sharing options...
Zurev Posted December 4, 2010 Share Posted December 4, 2010 "I didn't check most of the stuff, except it accepted literally anything for an email address" I did not put an email validator in yet. I am currently primarily concerned with how secure is private data people give me. There are several other validations in there. the 2 passwords have to be the same. The username has to be a certain length, and password has to be >= 8 in length. It checks username availability too. I can add something simple to check the validity of email too. So my concerns are: 1. Could a spammer get into the all the emails? 2. Could someone figure out a user's username and password? 3. If the password field was instead credit card info, would it be safe too? The fourth is slightly less important. 4. Could robots or something find a way to create fake accounts on this? Right, however I think it's important to note that your validation is entirely composed of javascript, I just disabled javascript on my browser and was able to use whatever lengths I wanted, etc. As for your other concerns... Seeing as your script seems vulnerable to sql Injection, I wouldn't rule numbers 1 or 2 out. Fortunately I assume you're encrypting the passwords using md5/sha1 so if that situation were to arise they would be seemingly useless (though md5 can be cracked outside of php). As for #3, I hope it's hypothetical because storing credit card information is an entirely different ball game, and the biggest question is whether or not you really HAVE TO. However, for the theoretical mind, if they were passwords, encrypt them with at least sha1 so if they do get accessed, they're practically useless. As for the fourth, completely possible, you need to look into using something similiar to reCaptcha to stop this. So overall - Look into the use of mysql_real_escape_string(or PDO), reCaptcha, and handling your errors/validation better. Link to comment Share on other sites More sharing options...
condoravenue Posted December 4, 2010 Author Share Posted December 4, 2010 I did use sha1 for the passwords. Can you guys even see my php code? Do I neet to post it in here? another thing: On the myaccount.php page, there are two options that alter account info: change password and delete account. Is there any way an unauthorized person/robot could do this? Link to comment Share on other sites More sharing options...
Zurev Posted December 4, 2010 Share Posted December 4, 2010 I did use sha1 for the passwords. Can you guys even see my php code? Do I neet to post it in here? another thing: On the myaccount.php page, there are two options that alter account info: change password and delete account. Is there any way an unauthorized person/robot could do this? Assuming the user needs to be logged in to delete their account and change password, it should not be an issue for robots. To tighten up security around change password I would make it like most sites Enter current password, then type new, and confirm new. Again, you ask about unauthorized people accessing these areas, if it's vulnerability to SQL Injection then yes it's possible, and no we can not see your code, since php is interpreted it gets output as html. I'm also curious since you store two sessions, one named user and has the username, I hope this is ONLY used for the "welcome username" part, because anyone can easily edit it to be whatever they choose. Link to comment Share on other sites More sharing options...
Pikachu2000 Posted December 4, 2010 Share Posted December 4, 2010 I did use sha1 for the passwords. SHA1 is OK, but it would be more secure if also use a salt. Can you guys even see my php code? Do I neet to post it in here? You'd need to post it; PHP code doesn't get sent to the browser (or at least it shouldn't). another thing: On the myaccount.php page, there are two options that alter account info: change password and delete account. Is there any way an unauthorized person/robot could do this? Can't say without seeing the code. Also, you should note that javascript is not validation. Validation needs to be done server-side. Link to comment Share on other sites More sharing options...
condoravenue Posted December 5, 2010 Author Share Posted December 5, 2010 I'm also curious since you store two sessions, one named user and has the username - accident. To tighten up security around change password I would make it like most sites Enter current password, then type new, and confirm new. - will do. and no we can not see your code - sorry I didn't know this. I will fix a few things, and post with some of my code too when I'm finished. Thanks for your guys' help. Link to comment Share on other sites More sharing options...
Recommended Posts