Is this secure user authentication?

[kaz_64]

i'm setting up a community website from scratch, i was wondering if this authentication method is secure or not.

the function names should be self explanitory... but just incase...
userpassmatch($user, $pass) returns true if if the user/pass match
getuid($uid) returns false if user doesn't exist or the user id an integer if the user exists

both these functions use mysql_escape_string() before checking records

here's how i use it, as you can see it only sets one session variable and one cookie, calling this value "logged".... if the user is not logged in this variable and cookie are set to 0.

on every page a script checks to make sure that the "logkey" as i call it is valid and not expired, it is only valid for 12 hours and every logkey in the database must be unique.



i was wondering if you see any flaws or possible security leaks in this code

this is my login script
[code=php:0]
elseif (isset($_POST['submit']) && userpassmatch($_POST['username'], $_POST['password'])){
$uid = getuid($_POST['username']);
$h12 = time() + (60 * 60 * 12);
$key = "$h12 $uid ".$_POST['username']." ".$_POST['password'];
$logexpire = date('Y-m-d H:i:s', $h12);
$logkey = bin2hex(md5($key, TRUE));
$ip = $_SERVER['REMOTE_ADDR'];

//sql to login
$query = "UPDATE users SET online='1', logkey='$logkey', logexpire='$logexpire', last_active=NOW(), last_ip='$ip' WHERE uid=$uid;";

//update database
$connection = mysql_pconnect("localhost", $mysql_user, $mysql_pass) or die ('Unable to connect to database.<br />Please try loging again. If you continue to see this message, please email <a href=""></a>."');
mysql_select_db("userdata") or die ('Unable to select database.<br />Please try loging in again. If you continue to see this message, please email <a href=""></a>.');
$result = mysql_query($query) or die ('Unable to insert data into database.<br />Please try loging in again. If you continue to see this message, please email <a href="mailto:"></a>.');

//set session and cookie
setcookie("logged", $logkey, $h12, "/");
$_SESSION['logged'] = $logkey;

//show index.php
include('index.php');
}[/code]

[fert]

it's not secure because you don't protect against SQL injection attacks

[kaz_64]

thanks for replying... may i ask how it is unsecure?

both of my functions that query the database with user input use mysql_escape_string() before they run any SQL, i'm sorry if i'm not catching on :-\


UPDATE:
i just tried an SQL injection attack as predicted my script said it was an invalid username or password

[Jessica]

You probably have magic_quotes_gpc turned on. You need to explore deeper into the world of sql injection. :)
(Edit: I misread about you using mysql_real_escape_string. Looks fine to me.)


Also, cookies can be easily edited. Don't rely on JUST cookies for anything.

[corbin]

if(get_magic_quotes_gpc()) {
//stripslashes for each variable that you're going to mysql_escape_string
}

[kaz_64]

i rely on session as well..... i know it can be manipulated as well...  session is what i use primarily the value if copied from the cookie only if session isn't set. also for the fact that a user might not allow cookies.

the only thing store in a cookie/session for my site is either a zero or an MD5 hash... and here's how the hash is generated:
[code=php:0]
$h12 = time() + (60 * 60 * 12);
$key = "$h12 $uid ".$_POST['username']." ".$_POST['password'];
$logkey = bin2hex(md5($key, TRUE));
[/code]

so if someone can fake a hash for my site then they already have the username AND password in [u]unencrypted[/u] form and they would have to be able to write it to my database somehow for it to validate..... and if they could do all that.... then i'm pretty sure my site would be taking a huge dive :P

and if someone manages to get their hands on a genuine cookie of mine, they would have to use it within 12 hours or it'd expire.

p.s. i always turn off magic quotes, they're good in theory but take too much away from the developer... you should always have your code written to handle escape characters.

[taith]

just as a note... with your msyql update, your not putting any data there from the browser that hasnt been md5'd so yes, that is secure. md5 removes any and all formattings, it really doesnt matter it you try to "inject" anything. you'd only get jibberish out.