Jump to content

Problem with my secure login system.


DrewBurston

Recommended Posts

Im having a problem with login system. its telling me my username and password are wrong when i know they are not.

here is my

login.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
  <head>
    <meta charset="UTF-8">
    <title>Server 2 Server | Log in</title>
    <meta content='width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no' name='viewport'>
    <!-- Bootstrap 3.3.4 -->
    <link href="bootstrap/css/bootstrap.min.css" rel="stylesheet" type="text/css" />
    <!-- Font Awesome Icons -->
    <link href="https://maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css" rel="stylesheet" type="text/css" />
    <!-- Theme style -->
    <link href="dist/css/AdminLTE.min.css" rel="stylesheet" type="text/css" />
    <!-- iCheck -->
    <link href="plugins/iCheck/square/blue.css" rel="stylesheet" type="text/css" />

    <!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->
    <!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
    <!--[if lt IE 9]>
        <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
        <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
  </head>
  <body class="login-page">
    <div class="login-box">
      <div class="login-logo">
        <a href="../../index2.html"><b>Server</b>2SERVER</a>
      </div><!-- /.login-logo -->
      <div class="login-box-body">
        <p class="login-box-msg">Sign in to view the control panel</p>

		<?php
		if(!empty($_GET['msg']))
		{
			$msg = $_GET['msg'];  //GET the message
			if($msg!=''):
			echo '<p>'.$msg.'</p>';
			endif;
		}
		?>
		
		<form action="check_login.php" method="post">
          <div class="form-group has-feedback">
            <input type="text" class="form-control" placeholder="Email" name="username" id="username"/>
            <span class="glyphicon glyphicon-envelope form-control-feedback"></span>
          </div>
          <div class="form-group has-feedback">
            <input type="password" class="form-control" placeholder="Password" name="password" id="password"/>
            <span class="glyphicon glyphicon-lock form-control-feedback"></span>
          </div>
          <div class="row">
            <div class="col-xs-8">                           
            </div><!-- /.col -->
            <div class="col-xs-4">
              <button type="submit" class="btn btn-primary btn-block btn-flat">Sign In</button>
            </div><!-- /.col -->
          </div>
        </form>
		
        <a href="#">I forgot my password</a><br>

      </div><!-- /.login-box-body -->
    </div><!-- /.login-box -->

    <!-- jQuery 2.1.4 -->
    <script src="../../plugins/jQuery/jQuery-2.1.4.min.js"></script>
    <!-- Bootstrap 3.3.2 JS -->
    <script src="../../bootstrap/js/bootstrap.min.js" type="text/javascript"></script>
    <!-- iCheck -->
    <script src="../../plugins/iCheck/icheck.min.js" type="text/javascript"></script>
    <script>
      $(function () {
        $('input').iCheck({
          checkboxClass: 'icheckbox_square-blue',
          radioClass: 'iradio_square-blue',
          increaseArea: '20%' // optional
        });
      });
    </script>
  </body>
</html>

check_login.php

<?php
define(DOC_ROOT,dirname(__FILE__)); // To properly get the config.php file
$username = $_POST['username']; //Set UserName
$password = $_POST['password']; //Set Password
$msg ='';
if(isset($username, $password)) {
    ob_start();
    include(DOC_ROOT.'/config.php'); //Initiate the MySQL connection
    // To protect MySQL injection (more detail about MySQL injection)
    $myusername = stripslashes($username);
    $mypassword = stripslashes($password);
    $myusername = mysqli_real_escape_string($dbC, $myusername);
    $mypassword = mysqli_real_escape_string($dbC, $mypassword);
    $sql="SELECT * FROM login_admin WHERE user_name='$myusername' and user_pass=SHA('$mypassword')";
    $result=mysqli_query($dbC, $sql);
    // Mysql_num_row is counting table row
    $count=mysqli_num_rows($result);
    // If result matched $myusername and $mypassword, table row must be 1 row
    if($count==1){
        // Register $myusername, $mypassword and redirect to file "dashboard.php"
        session_register("admin");
        session_register("password");
        $_SESSION['name']= $myusername;
        header("location:dashboard.php");
    }
    else {
        $msg = "Wrong Username or Password. Please retry";
        header("location:login.php?msg=$msg");
    }
    ob_end_flush();
}
else {
    header("location:login.php?msg=Please enter a username and password");
}
?>

it just keeys telling my my password and user and incorrect :( please help

Edited by DrewBurston
Link to comment
Share on other sites

$count=mysqli_num_rows($result);
What is the value of $count?

 

Are you getting a query error? Check with:

$result=mysqli_query($dbC, $sql) or die(mysqli_error($dbC));
Also, you're not storing your passwords securely. You should be using a secure hashing algorithm with salts. PHP has a new function for it on version 5.5. If you don't have PHP5.5, there is a backwards compatible library that is good as well. Edited by scootstah
  • Like 1
Link to comment
Share on other sites

$count=mysqli_num_rows($result);
What is the value of $count?

 

Are you getting a query error? Check with:

$result=mysqli_query($dbC, $sql) or die(mysqli_error($dbC));
Also, you're not storing your passwords securely. You should be using a secure hashing algorithm with salts. PHP has a new function for it on version 5.5. If you don't have PHP5.5, there is a backwards compatible library that is good as well.

 

 

// Mysql_num_row is counting table row

$count=mysqli_num_rows($result);

 

that's where I get the value for $count

 

I store passwords with SHA() encryption.

Link to comment
Share on other sites

Are you getting a query error? Check with:

$result=mysqli_query($dbC, $sql) or die(mysqli_error($dbC));

 

Did you try running the error code suggested above? I have a feeling that the query is failing because the hashed password isn't surround by single quotes. Also, I'm fairly certain you can't run a PHP function inside a string.

 

Try changing this

$sql="SELECT * FROM login_admin WHERE user_name='$myusername' and user_pass=SHA('$mypassword')";

To this

$sql="SELECT * FROM login_admin WHERE user_name='$myusername' and user_pass='" . SHA($mypassword) . "'";
Link to comment
Share on other sites

Well, the first mistake I look for in people's code is if they use isset($_POST['']); to check for form submission. I don't get why people think this is actually secure. If you don't actually have that specific HTML element in your code base, your "isset($_POST['']);" will fail despite how secure your actual code base is. If someone is smart enough, they can actually test to see how horribly put together your code is by just entering random junk data using your website. It's kind of like a beta tester for games, they test to see what works and what doesn't, what breaks and what doesn't. If you don't have volunteer debuggers or have any knowledge in the PHP programming, it is recommended that you should search what is the best practice before actually copy&paste codes off the internet and seenig if they work or not.

 

I know that I may sound pretty rude, but I see this stuff so much times, I feel like all these new PHP users aren't actually looking at the codes they copy&paste.

 

The second thing I see a lot in people's PHP codes is stripping or escaping the user's password. I can't........ I just can't.......

If you modify someone's password, you limit the possiblity of how secure it actually is. If I came across a website that didn't let me choose special characters as my passwords, I would probably delete my account on there and write a review on how bad their code base is.

 

Let's say your user inputs

Php/freak+sistheb,est!@#$^*~(~`\

Your whole "escape_string($_POST['password'])" fails entirly. It will turn a secure as booty password such as the above to something like this.

Phpfreaksisthebest

How secure is this? If you haven't heard of the rainbow table, you should really look into it. It will make you want to change your way of importing and exporting data. You should also look into brute force. Save upi some time on how secure someone's password really is. Someone once said to me.

 

 

SQL Injection doesn't come from user inputs. It comes from bad code.

 

And I wonder why SQL Injections exists.

Edited by JenniferLawrence
Link to comment
Share on other sites

To be honest I don't think it sounds rude. When it comes to security, sometimes you need to be blunt and to the point.

 

Thanks for the response, ill look into different encryptions' and ill prob go with md5 as I've used it in the past. This is for an admin panel of a website I'm building from scratch. I've used php for years but never actually built from ground up.

 

So your post has been very helpful to me. I will completely rebuild the login check page upon recommendation.

 

Any tips on where to start would be greatly appreciated.

Link to comment
Share on other sites

No, dont use md5 either that is just as bad as using SHA1

 

It is recommended to use a what scootstah suggested earlier, in reply #2

 

Also when using sessions, do not use the session_register functions, they are deprecated. When adding values to the session just define a new $_SESSION variable (making sure you have called session_start before hand).

  • Like 1
Link to comment
Share on other sites

Well, the first mistake I look for in people's code is if they use isset($_POST['']); to check for form submission. I don't get why people think this is actually secure.

There's nothing wrong with this approach for checking for a form submission. Why do you think it is not secure?

Link to comment
Share on other sites

similarly -
 

Your whole "escape_string($_POST['password'])" fails entirly. It will turn a secure as booty password such as the above to something like this.

no it won't. applying an escape string function to the password doesn't strip out any characters and therefore doesn't affect the security of the value in any way.

 

in the OP's code it would be necessary to escape the password value, since the hashing location (which is also not recommend, in addition to hash method) is in the sql query statement.

Link to comment
Share on other sites

since the hashing location (which is also not recommend, in addition to hash method) is in the sql query statement.

For those interested, using the hash algorithm in the query like that means that your server is going to be storing plaintext passwords in log files. Not good.

 

Also, after looking at OP's code again,

 

Let's say your user inputs

Php/freak+sistheb,est!@#$^*~(~`\
Your whole "escape_string($_POST['password'])" fails entirly. It will turn a secure as booty password such as the above to something like this.

Phpfreaksisthebest

 

wat

 

That function escapes unsafe characters, it doesn't remove them outright. Given your example input, this would be the output:

Php/freak+sistheb,est!@#$^*~(~`\\
As far as entropy goes, it's exactly the same.

 

If you're going to go off in a condescending way, at least know what you're talking about. ;)

 

EDIT: Formatting. Post went wonky.

Edited by scootstah
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.