PHP security

gevans · March 31, 2007

Hey guys,

I've recently started writing bigger scripts using PHP and MYSQL with log ins etc...

I just need to know the best way to check security of the pages. When I write log-ins I compare username and password to the mysql database, then create cookies. Then each page starts with an include. The page is a check to confirm that the cookies have been set, then confirm that the username and password are the correct ones with relation to each other.

If this is all good it returns true. Following this there's an if statemtent,

if ($check == "true"){

the site shows,

}

else{

$log_error;

die();

}

Is this secure enough, is there ways round this, or better ways of doing it?

spamoom · March 31, 2007

Well, if you verifying the username & password only once it ain't that secure. As someone could change cookies on their local copy and gain access. I'm always happy with using sessions as they are on the server.

Heero · March 31, 2007

And cookies can be turned off by the client which efficiently makes it impossible to stay logged in since the cookie would never exist. What spamoom said about sessions is probably your best bet, but you'll have to check that sessions are enabled (which they should be by default anyways).

When using sessions always remember to have the session_start() at the top of each page that uses the session or else you won't be able to call any session variables. People always forget this.

neel_basu · April 1, 2007

Use This

if ($check)

Not

if ($check == "true")

gevans · April 1, 2007

cheers guy, Heero that seems like the most reasonable option. If I'm making an admin with set username/passwords for myself or businesses the public wouldn't have access so cookies would be safe enough. But for public sites with open registering I think I'll have to learn about sessions

Daniel0 · April 1, 2007

Note that "true"[tt] is a string whereas [tt]true is a boolean. Your code snippet may result in unexpected behavior. Whether your code is secure depends what rules you have for setting it to true.

gevans · April 2, 2007

I understand that I'm setting check to "true" as a string rather than a boolean value, but that makes no difference in the security as it's only set under the following circumstances;

<?php
  include("config.php");
  $check = "";
  $username = $_COOKIE['username'];
  $pass = $_COOKIE['userpass'];
  $pass2 = md5($pass);
  $con = mysql_connect("mysql","$mysqluser","$mysqlpass");
  if (!$con)
    {
    die('Could not connect: ' . mysql_error());
    }

  mysql_select_db("pcoffee_contact", $con);


  $result = mysql_query("SELECT * FROM admin WHERE username='$username'");

  $test = mysql_fetch_array($result);
  $test_pass = $test['password'];
  if ($test_pass != $pass2){
    echo $login_fail;
    die();
  }
  else{
    $check = "true";
  }
?>

True`Logic · April 2, 2007

its easier to use sessions.. hold the pass file in $username.php.. like:

<?php ¶md5($pass)¶?>¶

(replacing md5($pass) with md5 of their password..)

then in the login

function login($usr, $pass) {

$str = file_get_contents("/path/to/user/file/$usr.php");

$str2 = explode($str, "¶", -1);

$pass1 = $str[1];

if(md5($pass)== $pass1) { return TRUE; }

else { return FALSE; }

}

that was a quick typeup cause im late for class.. it seems pretty simple enough where to put in the session info... gotta go, hope this helped somewhat

Sign In

PHP security

Recommended Posts

gevans

Link to comment

Share on other sites

spamoom

Link to comment

Share on other sites

Heero

Link to comment

Share on other sites

neel_basu

Link to comment

Share on other sites

gevans

Link to comment

Share on other sites

Daniel0

Link to comment

Share on other sites

gevans

Link to comment

Share on other sites

True`Logic

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Important Information