Jump to content

Unique question about security and carrying POST into another page....

lixid

By lixid
in PHP Coding Help

 Share

Recommended Posts

lixid Newbie

lixid

Posted
Posted
Ok i have a very unique question and it is very difficult to put into words as I am just learning the in's and out's of php so here goes.
i have a php script that is login.php which has an include of a login form... here is the original of the login script.

[table][tr][td][/td][/tr][/table][u][b]login.php[/b][/u]

[code]
<?php
include 'connect.inc.php';
?>

<?php
if (is_authed())
{
print "You are already logged in.";
}
else
{

if (!isset($_POST['submit']))
{
    // Show the form
    include 'login_form.inc.php';
    exit;
}
else
{
    // Try and login with the given username & pass
    $result = user_login($_POST['username'], $_POST['password']);

    if ($result != 'Correct')
    {
          // Reshow the form with the error
          $login_error = $result;
          include 'login_form.inc.php';
    }
    else
    {
          echo 'Thank you for logging in, <a href="articles.php">click here</a> to go to the protected content.';
    }
}
}
?>
[/code]


[u][b]login_form.inc.php[/b][/u]

[code]
<?php if (isset($login_error)) { ?>
There was an error: <?php echo $login_error; ?>, please try again.
<?php } ?>
<form action="login.php" method="post">

<b>Username:</b> <input type="text" size="20" maxlength="20" name="username"
<?php if (isset($_POST['username'])) { ?> value="<?php echo $_POST['username']; ?>" <?php } ?>/><br />

<b>Password:</b> <input type="password" size="20" maxlength="10" name="password" /><br />

<input type="submit" name="submit" value="Login" />
</form>[/code]



I found a tutorial on the net that helped me piece together what  i want for my login script and i am also looking to strengthen my security and i understand how the process of POST and GET actually work. my question is i would like to POST to my login.php page and use the function [b]user_login[/b] in this function script.

[u][b]functions.inc.php[/b][/u]

[code]
<?php
function user_login($username, $password)
{
    // Try and get the salt from the database using the username
    $query = "SELECT salt FROM user WHERE username='$username' LIMIT 1";
    $result = mysql_query($query);
    $user = mysql_fetch_array($result);

    // Using the salt, encrypt the given password to see if it
    // matches the one in the database
    $encrypted_pass = md5(md5($password).$user['salt']);

    // Try and get the user using the username & encrypted pass
    $query = "SELECT userid, username FROM user WHERE username='$username' AND password='$encrypted_pass'";
    $result = mysql_query($query);
    $user = mysql_fetch_array($result);
    $numrows = mysql_num_rows($result);

    // Now encrypt the data to be stored in the session
    $encrypted_id = md5($user['userid']);
    $encrypted_name = md5($user['username']);

    // Store the data in the session
    $_SESSION['userid'] = $userid;
    $_SESSION['username'] = $username;
    $_SESSION['encrypted_id'] = $encrypted_id;
    $_SESSION['encrypted_name'] = $encrypted_name;


    if ($numrows == 1)
    {
        return 'Correct';
    }
    else
    {
        return false;
    }
}
?>
[/code]

As i said i would like to strengthen my security and in the process of thinking about the way post and get actually work i discovered that i would like to make a random key encryption that i have come up with myself that is not on the internet and its not really an encryption system really it is just a way of decoding what the code really is in php and the field names in the database... like i said it is hard to explain it is kinda like cross coding i guess you might call it .. the code is very similar to this.....

[table][tr][td][u][b]original[/b][/u][/td]                  [td][u][b]PHP CODE[/b][/u][/td]                          [td][u][b]DATABASE[/b][/u][/td][/tr]

[tr][td]id[/td]                                    [td]doaxoaslethoewrl[/td]                                  [td]glufriasouviuthoa[/td][/tr]
[tr][td]username[/td]                                  [td]nlukluzlufoethou[/td]                                    [td]chiucoecoatriuspo[/td][/tr]
[tr][td]password[/td]                                    [td]crlerlupiejouphi[/td]                                      [td]qoaswiagiuxiudoeg[/td][/tr]
[tr][td]salt[/td]                                          [td]klefrlethoudriuf[/td]                                      [td]qlumluprluphiuswl[/td][/tr][/table]


Now that we have this as kind of a encoding/decoding tool i would like to replace these things with the php code and the database code in the query strings the thing is i have tried this and for some reason i will not work properly. Basically how i would like it to work is the login.php page holds the username and password POST variables i would like to be able to do the code kinda like this....

[u][b]login.php[/b][/u]

[code]
<?php
include 'connect.inc.php';
?>

<?php
if (is_authed())
{
print "You are already logged in.";
}
else
{

if (!isset($_POST['submit']))
{
    // Show the form
    include 'login_form.inc.php';
    exit;
}
else
{
    // Try and login with the given username & pass
    $result = user_login($_POST['nlukluzlufoethou'], $_POST['crlerlupiejouphi']);

    if ($result != 'Correct')
    {
          // Reshow the form with the error
          $login_error = $result;
          include 'login_form.inc.php';
    }
    else
    {
          echo 'Thank you for logging in, <a href="articles.php">click here</a> to go to the protected content.';
    }
}
}
?>
[/code]

[u][b]login_form.inc.php[/b][/u]

[code]
<?php if (isset($login_error)) { ?>
There was an error: <?php echo $login_error; ?>, please try again.
<?php } ?>
<form action="login.php" method="post">

<b>Username:</b> <input type="text" size="20" maxlength="20" name="nlukluzlufoethou"
<?php if (isset($_POST['nlukluzlufoethou'])) { ?> value="<?php echo $_POST['nlukluzlufoethou']; ?>" <?php } ?>/><br />

<b>Password:</b> <input type="password" size="20" maxlength="10" name="crlerlupiejouphi" /><br />

<input type="submit" name="submit" value="Login" />
</form>
<a href="index.php">index</a>
[/code]


[u][b]functions.inc.php[/b][/u]

[code]
<?php
function user_login($username, $password)
{
    // Try and get the salt from the database using the username
    $query = "SELECT qlumluprluphiuswl FROM spoepoaswoacrieglu WHERE chiucoecoatriuspo='$username' LIMIT 1";
    $result = mysql_query($query);
    $user = mysql_fetch_array($result);

    // Using the salt, encrypt the given password to see if it
    // matches the one in the database
    $encrypted_pass = md5(md5($password).$user['qlumluprluphiuswl']);

    // Try and get the user using the username & encrypted pass
    $query = "SELECT glufriasouviuthoa, chiucoecoatriuspo FROM spoepoaswoacrieglu WHERE chiucoecoatriuspo='$username' AND qoaswiagiuxiudoeg='$encrypted_pass'";
    $result = mysql_query($query);
    $user = mysql_fetch_array($result);
    $numrows = mysql_num_rows($result);

    // Now encrypt the data to be stored in the session
    $encrypted_id = md5($user['glufriasouviuthoa']);
    $encrypted_name = md5($user['chiucoecoatriuspo']);

    // Store the data in the session
    $_SESSION['glufriasouviuthoa'] = $userid;
    $_SESSION['chiucoecoatriuspo'] = $username;
    $_SESSION['encrypted_id'] = $encrypted_id;
    $_SESSION['encrypted_name'] = $encrypted_name;


    if ($numrows == 1)
    {
        return 'Correct';
    }
    else
    {
        return false;
    }
}
?>
[/code]
kind of confusing to the eye but basically i want to point the php code (doaxoaslethoewrl) to the database (glufriasouviuthoa)
my logic behind this is because i know that when you use POST or GET that people can sniff and get the information you typed into the form.... so i thought that it would be a good idea to somehow through whoever is sniffing off the trail by throwing out data that really isnt what they think it is and putting the pieces together would be harder than normal i would think .. but i could be wrong and if i am please just let me know without flaming me too hard .. :] if this doesnt make sense just leave a post and i will try to be more specific or detailed.. thanx in advance and i hope i can get some help to figure this out....
thanx

gmwebs Newbie

gmwebs

Posted
Posted
Well... My opinion is this:

If your data was [i]that[/i] sensitive that you need to encrypt the values on the wire, then I would be looking at using SSL for those transactions that did. Just remember that your sql stuff is all server-side, and potentially even on the same server as your web stuff, so the only data that would be traversing the wire would be your POST data from your forms - which SSL will secure perfectly. As for storing encrypted values in the database, you would just need to encrypt them before your sql query inserts them into the tables.

If you are concerned with having clear text data stored in the tables, then as I said, encrypt the values before inserting them, and then decrypt them before displaying them. Obviously, if you were concerned about the data you were displaying back to the user agent, then you would have to use SSL, otherwise you would just be passing the clear text value back to the browser when you decrypt it to display it.

I am sure that there are many other people who are much more experienced with this kind if thing, and hopefully they will fill in anything that I have left out.
lixid Newbie

lixid

Posted
  • Author
Posted
well what im really trying to do is to create a semi sorta encryption that would throw anyone that is trying to sniff off so that it is harder to decipher what is going through. i want to keep clear text as doing an encryption/decrypt both ways would slow things down quite a bit i would think and i dont want to have to get an ssl cert as they are expensive and i dont really have the start up capital to get one. so let me explain a little more by saying that what i want to do is
1. when the user fills in the data the form data such as username would pass through as "nlukluzlufoethou" with clear text (ex. "fred" as the username) but the name or handler that it is attached to would be "nlukluzlufoethou" correct me if im wrong.
2. when the post data comes through to the same page it would use the function to insert or select the information in the database which the field that it would be selecting/inserting into "chiucoecoatriuspo". then return the value and log me in.

i already have a register form that does the inserting but for some reason when i try to do the log in form it doesnt work.
thanx for the reply .. if this is still unclear what i would like to accomplish .. just let me know. thanx again ..
gmwebs Newbie

gmwebs

Posted
Posted
Unless you are doing something with JavaScript, the POST data in your scenario will be passed through as clear text. The user will input "fred" and "password" into the text fields, and when he clicks submit, those exact values will be passed. The mere fact that you have named the fields something weird, would not really thwart anyone who was sniffing the wire, as anyone who sees 2 values coming accross as "fred" and "password" would immediately put 2 and 2 together. The only true way to secure wire transmissions is to use SSL.
lixid Newbie

lixid

Posted
  • Author
Posted
well im curious if like say in the form it says name='username' if i put in "nlukluzlufoethou" instead of username... and name='password' if i put in "crlerlupiejouphi" instead of password ... and the user typed in the username of "fred" and the password of "blah" and the password gets it's md5 encryption ... when the form get posted wouldnt there be header information that says something like username=fred and password= blah(but encrypted) my theory which might be kinda bizarre or stupid .. but is that if the header information that gets sniffed if it could come up as
nlukluzlufoethou=fred
and
crlerlupiejouphi=blah(but md5 encrypted)
then also the various other bits of information come through
then the actual database fields are actually "chiucoecoatriuspo" for username and "qoaswiagiuxiudoeg" for password
wouldnt that make sql injection and other forms of cracking and such harder for the person trying to get in. ?

gmwebs Newbie

gmwebs

Posted
Posted
Well, I think you don't quite understand the mechanism of forms. When you have an html form, and the fields are displayed to the browser ([i]client-side[/i]), no matter what you call them, when the user clicks submit the form is posted (POST or GET method) to its target script and the data that is posted is in clear text. On the receiving script, you then perform any encryption/decryption on the [i]server-side[/i].

As I said in my previous posts, the [b]only[/b] way you can secure transmission of data over HTTP is to use HTTPS (SSL). Think of it, if you do internet banking, you have to use SSL. Now that's not because they have enough money to buy an SSL certificate, it's because it's the [i]only[/i] way to secure the transaction.

Whenever user input is involved, and that input has to be encrypted, there is no other way to do it.
lixid Newbie

lixid

Posted
  • Author
Posted
well i really dont want to encrypt anything except for the password which i do using md5 ... and i know how ssl works .. i also know that everything is posted in clear text .. all i was trying to do is confuse or at least make it harder to decipher what fields are actually in the database. do you understand my meaning .. i want to have say in the form .. username but in the database i want to have it say "nlukluzlufoethou" so that sql injection is harder because the person that is trying to get into or hack my website they wouldnt know the database field to inject into .. is that a little clearer .. sorry .. if i have been unclear..
gmwebs Newbie

gmwebs

Posted
Posted
Well yeah, sure, if you name your db fields something weird, then it would obviously make it harder to guess your table structures. That is the only benefit I can see. It would make it hell on earth for anyone else to work with your code though!
lixid Newbie

lixid

Posted
  • Author
Posted
i dont really need anyone to work with my code .. so .. but mainly i needed to find out how i could do a POST of say name='username' to a function that does a SELECT of a different field name than what the POST actually was i guess i would just have to pass the POST into a variable correct. or is there a better way i might be able to handle this.
lixid Newbie

lixid

Posted
  • Author
Posted
thanx for the confirmation .. does this sound like a good idea or do you think it is pretty useless ? just seemed like an added security feature that has not really been used alot and might not be something anyone would really try to figure out as it is so bizarre .. :] lol .. or not .. anyways thanx again .. gmwebs

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.