steff_dk Posted October 16, 2006 Share Posted October 16, 2006 I'm using this login script on a page, but I fear I have some serious safety issues:How can I check if the variables were posted from the login.htm page?Other comments on the safety issues are highly appreciated. Gotta stay cracker-safe ;)Cheers,Steff[code]<?PHP$user = $_POST['username'];$pass = md5($_POST['password']);//set the database connection variables$dbHost = "localhost";$dbUser = "myUserName";$dbPass = "myPwd";$dbDatabase = "somedomain_dk";//connect to the database$db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database.");mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database.");$result=mysql_query("select * from siteadmins where username='$user' AND password='$pass'", $db);//check that at least one row was returned$rowCheck = mysql_num_rows($result);if($rowCheck > 0){while($row = mysql_fetch_array($result)){ //start the session and register a variable session_start(); session_register('username'); //Redirect the user to another page where we will make sure the session 'username' is started. header( "Location: admin.php" ); } } else { //if nothing is returned by the query, unsuccessful login code goes here... echo 'Invalid username or password.'; } ?>[/code] Quote Link to comment Share on other sites More sharing options...
neoform Posted October 16, 2006 Share Posted October 16, 2006 You can't verify a user's referral page with any certaintly since the user's client can easily lie by modifying it's header information.a standard way to authenticate a user is to create a cookie (or session, whichever you want) containing the user's login and md5(password) and check on every pageload that those two credentials match the info that's in the database. Quote Link to comment Share on other sites More sharing options...
alpine Posted October 16, 2006 Share Posted October 16, 2006 Another idea:Generate and insert a random string (md5 or sha1 for instance) and a timestamp to a mysql table upon loading the login-form, and pass the generated random value along in a hidden field in the login form. Before allowing a query for a valid user in the result page, check the random string against a match in the "random" table. This way you can be pretty sure that it is a genuine login attempt.Delete all random strings older than e.g. 10 minutes or something in your login script just to clean up.EDIT**Also, in your current script you are pretty much wide open to allow injection attempts, always filter users input before letting it pass to the query. Just to switch the WHERE clause would make things alot safer by first matching the password and then matching the username. Any injection attempt would have to know the password rather than the easier (normally) username to open up.A small rewrite that should improve the total:[code]<?phpif(!empty($_POST['username']) && !empty($_POST['password'])){$user = htmlspecialchars($_POST['username']);$pass = md5(htmlspecialchars($_POST['password']));$dbHost = "localhost";$dbUser = "myUserName";$dbPass = "myPwd";$dbDatabase = "somedomain_dk";$db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database.");mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database.");$result=mysql_query("select * from siteadmins where password='$pass' and username='$user'", $db);if(mysql_num_rows($result) == "1"){session_start();$_SESSION['username'] = $user;header( "Location: admin.php" );exit();}else{echo 'Invalid username or password.';}}else{echo 'Missing required information';}?>[/code]But still, you are relying on just one easy session with the username to verify access to your restricted area. A random db-stored string should might be of consideration aswell. Quote Link to comment Share on other sites More sharing options...
steff_dk Posted October 17, 2006 Author Share Posted October 17, 2006 SQL injection was a new concept for me.Read this brilliant page afterwards: http://www.unixwiz.net/techtips/sql-injection.htmlCouldn't I just MD5 both username and password to prevent SQL injection? Quote Link to comment Share on other sites More sharing options...
mjlogan Posted October 17, 2006 Share Posted October 17, 2006 You could login to the top script without using a valid username or password.If you encrypt the password it will have better security. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.