PHP security

[gevans]

Hey guys,

 

I've recently started writing bigger scripts using PHP and MYSQL with log ins etc...

I just need to know the best way to check security of the pages. When I write log-ins I compare username and password to the mysql database, then create cookies. Then each page starts with an include. The page is a check to confirm that the cookies have been set, then confirm that the username and password are the correct ones with relation to each other.

 

If this is all good it returns true. Following this there's an if statemtent,

 

if ($check == "true"){

the site shows,

}

else{

$log_error;

die();

}

 

Is this secure enough, is there ways round this, or better ways of doing it?

 

[spamoom]

Well, if you verifying the username & password only once it ain't that secure. As someone could change cookies on their local copy and gain access. I'm always happy with using sessions as they are on the server.

[Heero]

And cookies can be turned off by the client which efficiently makes it impossible to stay logged in since the cookie would never exist.  What spamoom said about sessions is probably your best bet, but you'll have to check that sessions are enabled (which they should be by default anyways). 

 

When using sessions always remember to have the session_start() at the top of each page that uses the session or else you won't be able to call any session variables.  People always forget this.

[neel_basu]

Use This

if ($check)

Not

if ($check == "true")

[gevans]

cheers guy, Heero that seems like the most reasonable option. If I'm making an admin with set username/passwords for myself or businesses the public wouldn't have access so cookies would be safe enough. But for public sites with open registering I think I'll have to learn about sessions

[Daniel0]

Note that "true"[tt] is a string whereas [tt]true is a boolean. Your code snippet may result in unexpected behavior. Whether your code is secure depends what rules you have for setting it to true.

[gevans]

I understand that I'm setting check to "true" as a string rather than a boolean value, but that makes no difference in the security as it's only set under the following circumstances;

 

<?php
  include("config.php");
  $check = "";
  $username = $_COOKIE['username'];
  $pass = $_COOKIE['userpass'];
  $pass2 = md5($pass);
  $con = mysql_connect("mysql","$mysqluser","$mysqlpass");
  if (!$con)
    {
    die('Could not connect: ' . mysql_error());
    }

  mysql_select_db("pcoffee_contact", $con);


  $result = mysql_query("SELECT * FROM admin WHERE username='$username'");

  $test = mysql_fetch_array($result);
  $test_pass = $test['password'];
  if ($test_pass != $pass2){
    echo $login_fail;
    die();
  }
  else{
    $check = "true";
  }
?>

[True`Logic]

its easier to use sessions.. hold the pass file in $username.php..  like:

 

<?php ¶md5($pass)¶?>¶

 

(replacing md5($pass) with md5 of their password..)

 

then in the login

 

function login($usr, $pass) {

$str = file_get_contents("/path/to/user/file/$usr.php");

$str2 = explode($str, "¶", -1);

$pass1 = $str[1];

if(md5($pass)== $pass1) { return TRUE; }

else { return FALSE; }

}

 

that was a quick typeup cause im late for class.. it seems pretty simple enough where to put in the session info... gotta go, hope this helped somewhat