Is My Script Secure

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Apix
Forum Newbie
Posts: 8
Joined: Mon Jul 15, 2002 1:30 am

Is My Script Secure

Post by Apix »

I have written this script to validate people wanting to look at the members only pages. I was just wondering if there was some sort of obvious security risk that i have over looked.

Please tell me any bad sides to my script as i want to get it right before i start using it.

Thanks in advance

Code: Select all

include('header.php');

<?php
//start the session
session_start();

//Encrypting the password so tis ready to be compared with the emcrypted password stored in the datase
$encryptedpassword = md5($password);

// Connecting, selecting database 
$dbconn = mysql_connect("localhost", "user", "password") or die("Could not connect to MySQL Server"); 
mysql_select_db("work") or die("Could not select MySQL database");

//query the user and pass
$sql = "SELECT user_id FROM members WHERE username='$username' && password='$encryptedpassword'";
$result = mysql_query($sql) or die("Query Failed at user checking stage". mysql_error());

//if they have entered the correct user nad pass register the session variables
if (mysql_num_rows($result) > 0)
&#123;
$valid_user = $username;
session_register("valid_user");
echo "You Have Been Validated. <a href="next.php">Click Here To Continue</a>";
&#125; else &#123;
//else give them an error
echo "You either entered the wrong username / password combination or you are not a valid user\n <a href="membership.php">Click Here To Go Back</a>";
&#125;
?>

include('footer.php');
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

You probably won't get anyone to tell you its 100% secure. However, I can spot three, maybe four, things to consider.

First both username and password should be explicitly assigned from the HTTP_GET_VARS/HTTP_POST_VARS (or short forms in PHP 4.1 or greater). Don't rely on register_globals, don't rely on the GPC over-write order.

Second, username should be sanitized. I'm a PostGreSQL user, but I suspect MySQL will also react badly to single quotes in the username, unless you have magic_quotes on. Characters to be wary of are single quotes and semi-colons.

Third, is the user you are connecting to the database as the database owner? If so you should change that and connect as some web-user that has the minimum privileges required. Most importantly, the web-user should not be able to issue delete queries against the members table. I commonly have three web-user accounts per application, one for unauthenticated access, one for authenticated access and one for admin level access. This does mean I take a performance hit on login as it typically has to do two database connections, but that's only one time per user per visit.

Fourth, make sure on the later pages that you make sure $valid_user is set from the _SESSION array and not the GET array, otherwise a user could easily bypass the login process.
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Post by Takuma »

I had one problem with my User Authenticated. If someone tries to log on with empty username and password the system accepted them... LOL
But your won't since you have the

Code: Select all

if (mysql_num_rows($result) > 0)
I also recommend using $_POST, $_SESSION, $_GET or $HTTP_GET_VARS, $HTTP_POST_VARS.

You can use regular expression so that the special charaters are not in the unserame. Or another way is to use "addslashes()" function.

P.S. There is no way that the script can be ***100%*** secure...
Post Reply