noobdood Posted May 20, 2014 Share Posted May 20, 2014 (edited) hi, im trying to create a website and only now started thinking about the security part(noob mistake). say for example i have home.php page and an index.php page. index.php is where users would sign up/log in. the login and sign up processes are all done but i was thinking of creating a unique id of some sort for when the user logs in. or something like this site (forum.phpfreaks) when we sign in, you are signed but the url stays the same = forums.phpfreaks.com. like if we were signed out we will be permanantly signed out and typing in forums.phpfreaks.com would just land us at the main page where we need to sign in. right now ,my home.php can be accessed with or without logging in even with sessions. hope im making sense, thanks in advanced! **haha that rhymed. i tried adding: <?php echo $_SERVER[php_SELF] . '?name=' . $userData['name'];?> in the index.php: <?php ob_start(); session_start(); if(isset($_POST['login'])) { $email = $_POST['email']; $password = $_POST['pass']; require "connection.php"; $emails = mysqli_real_escape_string($con, $email); $query = "SELECT id, name, email, password, salt FROM users WHERE email = '$emails';"; $result = mysqli_query($con, $query); if(mysqli_num_rows($result) == 0) // User not found. So, redirect to login_form again. { echo "<script>alert(\"User does not exist!\")</script>"; } $userData = mysqli_fetch_array($result, MYSQLI_ASSOC); $hash = hash('sha256', $userData['salt'] . hash('sha256', $password) ); if($hash != $userData['password']) { echo "<script>alert(\"Incorrect Password!\")</script>"; }else{ session_regenerate_id(); $_SESSION['sess_user_id'] = $userData['id']; $_SESSION['sess_name'] = $userData['name']; session_write_close(); header('Location: home.php?user='); } } ob_flush(); ?> <!DOCTYPE html> <form name="login" method="post" action="<?php echo $_SERVER[PHP_SELF] . '?name=' . $userData['name'];?>"> but i got access forbidden! Edited May 20, 2014 by noobdood Quote Link to comment https://forums.phpfreaks.com/topic/288609-generate-unique-url-id/ Share on other sites More sharing options...
Solution Jacques1 Posted May 20, 2014 Solution Share Posted May 20, 2014 Hi, this is absolutely unnecessary. The session already tells you whether the user is logged in and who she is. So all you need to do is check the session. Speaking of security: The SHA-2 algorithm is not suitable for password hashing at all. A stock PC can calculate billions of SHA-2 per second and find out almost any password simply by trying out different combinations. You need an actual password hashing algorithm like bcrypt. If you have PHP 5.5, use the new hashing API. If you don't have PHP 5.5 but at least 5.3.7, use the password_compat library. Inserting $_SERVER['PHP_SELF'] directly into the HTML document makes the page vulnerable to cross-site scripting attacks. Always escape data with htmlspecialchars() before you insert it into an HTML context. Never trust the user input. While you do escape the SQL input, a much more secure solution would be to use a parameterized statement and separate the data from the query itself. Quote Link to comment https://forums.phpfreaks.com/topic/288609-generate-unique-url-id/#findComment-1480115 Share on other sites More sharing options...
noobdood Posted May 20, 2014 Author Share Posted May 20, 2014 Thanks for the tips Jacques. so i read through the password_hash() doc. changed my code. is this correct?: $password1 = $_POST['pass']; $hash = password_hash($password1, PASSWORD_DEFAULT); $name = mysqli_real_escape_string($con, $name); $query ="INSERT INTO users (id, name, email, number, password) VALUES('','$name','$email','$number','$hash')"; Quote Link to comment https://forums.phpfreaks.com/topic/288609-generate-unique-url-id/#findComment-1480123 Share on other sites More sharing options...
Jacques1 Posted May 20, 2014 Share Posted May 20, 2014 The hash part is fine, but the dynamic query should be replaced with a proper parameterized statement: $insert_user_stmt = $database->prepare(' INSERT INTO users (name, email, number, password) VALUES(?, ?, ?, ?) '); $insert_user_stmt->bind_param('ssis', $name, $email, $number, $hash); $insert_user_stmt->execute(); Quote Link to comment https://forums.phpfreaks.com/topic/288609-generate-unique-url-id/#findComment-1480129 Share on other sites More sharing options...
noobdood Posted May 20, 2014 Author Share Posted May 20, 2014 (edited) yeah im still reading up on that. whats 'ssis' in bind_param('ssis', $name, $email, $number, $hash) also there was a 'cost' in password hashing and was wondering what its for? in the doc it says by default the cost is 10 but higher is better (?) Edited May 20, 2014 by noobdood Quote Link to comment https://forums.phpfreaks.com/topic/288609-generate-unique-url-id/#findComment-1480130 Share on other sites More sharing options...
noobdood Posted May 20, 2014 Author Share Posted May 20, 2014 well, my questions are veering off course of the topic. so i will mark solved and open a new one for the other line of questioning. heh Quote Link to comment https://forums.phpfreaks.com/topic/288609-generate-unique-url-id/#findComment-1480131 Share on other sites More sharing options...
Jacques1 Posted May 20, 2014 Share Posted May 20, 2014 yeah im still reading up on that. whats 'ssis' in You really need to get familiar with the manual. The first parameter lists all data types of the bound values. “s” stands for “string”, “i” is for “integer”. If you don't wanna fumble with low-level stuff like this, consider using PDO instead of MySQLi. It's much more convenient. also there was a 'cost' in password hashing and was wondering what its for? in the doc it says by default the cost is 10 but higher is better (?) Yes, the higher the cost factor, the harder it is for an attacker to do a brute-force attack against the hashes. But of course a high cost factor will also slow down your own password-related procedures (registration, log-in and password reset). A common recommendation is that you choose a duration you think your users find acceptable, let's say one second. Then you increase the cost factor until you reach that duration on your current hardware. This is the cost factor you use. You can also have different cost factors for different user groups. For example, an administrator should have a higher cost factor than a standard user. Quote Link to comment https://forums.phpfreaks.com/topic/288609-generate-unique-url-id/#findComment-1480135 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.