FIND MY SECURITY HOLE... I GIVE YOU A NICKEL

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

ronjon
Forum Newbie
Posts: 7
Joined: Fri Jul 09, 2004 8:46 pm

FIND MY SECURITY HOLE... I GIVE YOU A NICKEL

Post by ronjon »

Find My Security Hole... I Give You A Nickel
HELLO ALL.

PROFESSIONALS... I NEED YOUR HELP.

I HAVE RECENTLY GOT A JOB AT A DECENT PLACE THAT HIRED ME TO ADMIN THEIR NETWORK...AND... CODING A DYNAMIC WEBSITE WITH PHP AND MYSQL. WELL... IM A NEWBIE...IVE ONLY BEEN LOOKING AT MYSQL AND PHP FOR A WEEK. ANYHOW.. IVE BEEN CODING SOME STUFF FOR OUR WEBSITE. RIGHT NOW .. IM ONLY AT THE USER AUTHENTICATION PART. GIVEN THAT IM AN EXTREME NEWBIE... I DONT KNOW SECURITY...AT ALL ACTUALLY.

SO... FOR YOU PROFESSIONALS OUT THERE... I KNOW YOU ALL KNOW WHAT THINGS TO LOOK FOR WHEN IT COMES TO DEVEL0PING DYNAMIC PAGES FOR WEBSITES THAT NEED TO BE PRETTY SECURE. PLEASE LOOK AT MY CODE AND TELL ME IF THIS IS WORTHY OR BEING PUT UP AS A CORPORATE WEBSITE (CODE WISE... I'VE YET TO START CONSIDERING HARDWARE SECURITY AND ALL THAT.) PLEASE HELP...ALL THIS CODE IVE PUT TOGETHER IS FROM TEXT BOOKS AND ONLINE HELP...I HAVE GOT ONLY ABOUT 2 SEMESTERS OF PROGRAMMING COURSEWORK UNDER MY BELST...SO IM REALLY WEARY OF PUTTING ANYTHING UP THAT HASNT BEEN CRITIQUED BY A SEASONED PROFESSIONAL.

ANY INPUT WOULD BE REALLY HELPFUL.
THANK YOU ALL SO MUCH.

HERE IT GOES.

GATEWAY.PHP is the page that recieves user input
AUTHENTICATION.PHP is the php page that verifies user input with the database.



//GATEWAY.PHP

<html>

<body
<br /><br />
<p> my company name</p>

<form action = "AUTHENTICATION.PHP" method=post>
<input type="text" name="username">
USERNAME
<br>
<input type="text" name="password">
PASSWORD<br>
<input type="image" src="login.gif">
</form>

</body>
</html>









//AUTHENTICATION.PHP
<?
echo "MYCOMPANY INC. User Authentication routine.<br /><br />";

//RETRIEVING VARS FROM GATEWAY.PHP VIA POST
$username =$_POST['username'];
$password = $_POST['password'];


//CONNECTING TO DATABASE
$link = mysql_connect ('localhost', 'spinsykel', 'spinsykel');
if ($link)
{
echo "error: could not connect to database <br /><br />";
exit;
}

//RETRIEVING DATA FROM DATABASE
mysql_select_db('users');
$sql = "SELECT lastname FROM users WHERE password = '$password' AND firstname = '$username'";
$result = mysql_query($sql) or die (mysql_error());

//IF FINDS NO MATCHING PASSWORD AND USERNAME
if (mysql_num_rows($result) == 0)
{
echo "INVALID USERNAME AND/OR PASSWORD.
PLEASE CLICK BACK ON YOUR BROWSER AND
ENTER A VALID USERNAME AND PASSWORD.
THANK YOU.";
}


//IF FINDS NO MATCHING PASSWORD AND USERNAME
if (mysql_num_rows($result) ==1)
{
$row = mysql_fetch_array($result);
list(,$lastname) + each ($row);
echo 'RECORD FOUND! <br /><br />';
$username = ucfirst ($username);
$lastname = ucfirst ($lastname);
echo "$lastname, $username;
$found =1;
}

//IF FINDS MORE THAN ONE MATCHING PASSWORD AND USERNAME (BIG TROUBLE!)
if (mysql_num_rows($result) > 1)
{
echo "WE ARE HAVING TECHNICAL DIFFICULTIES AND
ARE UNABLE TO RETRIEVE YOUR USER INFORMATION AT
THIS TIME. PLEASE COME BACK AT A LATER TIME.
THANK YOU - INFORMATION SYSTEMS DEPRTMENT";
}

?>
User avatar
tim
DevNet Resident
Posts: 1165
Joined: Thu Feb 12, 2004 7:19 pm
Location: ohio

Post by tim »

you really need to use php tags to enclose your code

much easier to read and much easier to us to help you
ronjon
Forum Newbie
Posts: 7
Joined: Fri Jul 09, 2004 8:46 pm

forgive me for being such a newbie

Post by ronjon »

i was under the impression that <? ?> were php tags... i didnt know that there are additional tags i could use to help my code be readable

i did put the "//" comments though..

i would love to use the php tags you are talking about though if it would help my code be more readable...

would you care to show me the php tags you are talking about?
if you do... id add it and report my code.

sincerely,
ron.
User avatar
tim
DevNet Resident
Posts: 1165
Joined: Thu Feb 12, 2004 7:19 pm
Location: ohio

Post by tim »

BBcode tags this forum offers

echo "HI";

compared to

Code: Select all

<?php
echo "HI";
?>
before your code, add a [ php ] w/o the spaces before/after the braket, add a [ /php ] (again w/o spaces)

makes it so much easier to read. Your code seems secure, do you use any cookies and/or sessions?
ronjon
Forum Newbie
Posts: 7
Joined: Fri Jul 09, 2004 8:46 pm

Post by ronjon »

Find My Security Hole... I Give You A Nickel
HELLO ALL.

PROFESSIONALS... I NEED YOUR HELP.

I HAVE RECENTLY GOT A JOB AT A DECENT PLACE THAT HIRED ME TO ADMIN THEIR NETWORK...AND... CODING A DYNAMIC WEBSITE WITH PHP AND MYSQL. WELL... IM A NEWBIE...IVE ONLY BEEN LOOKING AT MYSQL AND PHP FOR A WEEK. ANYHOW.. IVE BEEN CODING SOME STUFF FOR OUR WEBSITE. RIGHT NOW .. IM ONLY AT THE USER AUTHENTICATION PART. GIVEN THAT IM AN EXTREME NEWBIE... I DONT KNOW SECURITY...AT ALL ACTUALLY.

SO... FOR YOU PROFESSIONALS OUT THERE... I KNOW YOU ALL KNOW WHAT THINGS TO LOOK FOR WHEN IT COMES TO DEVEL0PING DYNAMIC PAGES FOR WEBSITES THAT NEED TO BE PRETTY SECURE. PLEASE LOOK AT MY CODE AND TELL ME IF THIS IS WORTHY OR BEING PUT UP AS A CORPORATE WEBSITE (CODE WISE... I'VE YET TO START CONSIDERING HARDWARE SECURITY AND ALL THAT.) PLEASE HELP...ALL THIS CODE IVE PUT TOGETHER IS FROM TEXT BOOKS AND ONLINE HELP...I HAVE GOT ONLY ABOUT 2 SEMESTERS OF PROGRAMMING COURSEWORK UNDER MY BELST...SO IM REALLY WEARY OF PUTTING ANYTHING UP THAT HASNT BEEN CRITIQUED BY A SEASONED PROFESSIONAL.

ANY INPUT WOULD BE REALLY HELPFUL.
THANK YOU ALL SO MUCH.

HERE IT GOES.

GATEWAY.PHP is the page that recieves user input
AUTHENTICATION.PHP is the php page that verifies user input with the database.

Code: Select all

<?
//GATEWAY.PHP 

<html> 

<body 
<br /><br /> 
<p> my company name</p> 

<form action = "AUTHENTICATION.PHP" method=post> 
<input type="text" name="username"> 
USERNAME 
<br> 
<input type="password" name="password"> 
PASSWORD<br> 
<input type="image" src="login.gif"> 
</form> 

</body> 
</html> 
?>








//AUTHENTICATION.PHP 
<? 
echo "MYCOMPANY INC. User Authentication routine.<br /><br />"; 

//RETRIEVING VARS FROM GATEWAY.PHP VIA POST 
$username =$_POST['username']; 
$password = $_POST['password']; 


//CONNECTING TO DATABASE 
$link = mysql_connect ('localhost', 'spinsykel', 'spinsykel'); 
if (!$link) 
{ 
echo "error: could not connect to database <br /><br />"; 
exit; 
} 

//RETRIEVING DATA FROM DATABASE 
mysql_select_db('users'); 
$sql = "SELECT lastname FROM users WHERE password = '$password' AND firstname = '$username'"; 
$result = mysql_query($sql) or die (mysql_error()); 

//IF FINDS NO MATCHING PASSWORD AND USERNAME 
if (mysql_num_rows($result) == 0) 
{ 
echo "INVALID USERNAME AND/OR PASSWORD. 
PLEASE CLICK BACK ON YOUR BROWSER AND 
ENTER A VALID USERNAME AND PASSWORD. 
THANK YOU."; 
} 


//IF FINDS NO MATCHING PASSWORD AND USERNAME 
if (mysql_num_rows($result) ==1) 
{ 
$row = mysql_fetch_array($result); 
list(,$lastname) + each ($row); 
echo 'RECORD FOUND! <br /><br />'; 
$username = ucfirst ($username); 
$lastname = ucfirst ($lastname); 
echo "$lastname, $username; 
$found =1"; 
} 

//IF FINDS MORE THAN ONE MATCHING PASSWORD AND USERNAME (BIG TROUBLE!) 
if (mysql_num_rows($result) > 1) 
{ 
echo "WE ARE HAVING TECHNICAL DIFFICULTIES AND 
ARE UNABLE TO RETRIEVE YOUR USER INFORMATION AT 
THIS TIME. PLEASE COME BACK AT A LATER TIME. 
THANK YOU - INFORMATION SYSTEMS DEPRTMENT"; 
} 

?>
Last edited by ronjon on Sat Jul 10, 2004 1:04 pm, edited 3 times in total.
ronjon
Forum Newbie
Posts: 7
Joined: Fri Jul 09, 2004 8:46 pm

yes i do intend to use sessions.

Post by ronjon »

i have not incorporated it as of yet... but i will. i dont intend to use cookies...just sessions.. ive been given the impression that sessions are the way to go.

do you have any additional input regarding using sesisons?

thank you sir.

-ron
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I seriously don't appreciate the capslock usage in your posts ronjon.
redmonkey
Forum Regular
Posts: 836
Joined: Thu Dec 18, 2003 3:58 pm

Post by redmonkey »

ronjon wrote:PLEASE LOOK AT MY CODE AND TELL ME IF THIS IS WORTHY OR BEING PUT UP AS A CORPORATE WEBSITE
No it is not.
ronjon
Forum Newbie
Posts: 7
Joined: Fri Jul 09, 2004 8:46 pm

thanks for the replies

Post by ronjon »

feyd... sorry about the caps lock. i didnt think people actually thought it as a big deal... but ok. ill keep from using it.

redmonkey...
thanks for the comment...although.. can you tell me anything about why its not worthy? you dont have to go into detail... but, can you give me some idea as to what i should look up on the net that i could incorporate to make the code more enterprise worthy? please?

thanks you all.
-ron
kettle_drum
DevNet Resident
Posts: 1150
Joined: Sun Jul 20, 2003 9:25 pm
Location: West Yorkshire, England

Post by kettle_drum »

-indentation.
-check POST values for xss.
kettle_drum
DevNet Resident
Posts: 1150
Joined: Sun Jul 20, 2003 9:25 pm
Location: West Yorkshire, England

Post by kettle_drum »

Split if into more managible chucks so it can be re-used....is this the only page where you connect to the database?
User avatar
PrObLeM
Forum Contributor
Posts: 418
Joined: Sun Mar 07, 2004 2:30 pm
Location: Mesa, AZ
Contact:

Post by PrObLeM »

i would like 2 say 2 things ...
1. you do like your caps dont you
2. i hope spinsykel isnt your password....

Code: Select all

mysql_connect ('localhost', 'spinsykel', 'spinsykel');
redmonkey
Forum Regular
Posts: 836
Joined: Thu Dec 18, 2003 3:58 pm

Post by redmonkey »

Code: Select all

&lt;input type="text" name="password"&gt;
I must admit, it has been a while since I have seen this level of schoolboy error. Using type 'text' for your password box means that anyone lurking around (or even walking passed) the user as they logon will be able to see their passowrd in plain text.

Code: Select all

$sql = "SELECT lastname FROM users WHERE password = '$password' AND firstname = '$username'";
Try googling for 'SQL Injection' for this one.

Code: Select all

$result = mysql_query($sql) or die (mysql_error());
While mysql_error may give useful error messages when developing/debugging it can give away too much information on a production site.

Code: Select all

//CONNECTING TO DATABASE
$link = mysql_connect ('localhost', 'spinsykel', 'spinsykel');
if ($link)
{
echo "error: could not connect to database <br /><br />";
exit;
}
Have you tested this script? That piece of code should throw an error on succesfully connecting to the database???

While I appreciate that you have minimal experience with PHP this is nowhere near the level of acceptance for a corporate site.

You will also have a (at least one) parse error within your code, you are missing a closing quote on one of your echos.
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

moved to PHP Code.
ronjon
Forum Newbie
Posts: 7
Joined: Fri Jul 09, 2004 8:46 pm

all comments and suggestions taken and thought about

Post by ronjon »

gabidi..

yeah... the $link thing... i actually just copied it wrong. i forgot to bring the code home so i had to copy it from a printout... i just forgot to type the !. the code works... i tested it. the only thing that im really worried about is the security. but good noticing.

as for the list command... ill look into it and figure out what you mean... since i am a newb... i odnt even know what you mean by scalar variables...but ill definitely look into what you're suggesting.

as for the echo... not sure what you mean ... but again... ill look into that as well.

also, thank you for your congratulations... i appreciate it. im excited about the job and am looking forward to learning coding more in depth so that i can add that to my title as well == job security and more financial compensation in the long run

buzzly...
i forgot to mention... that 80% of what they hired me for was to admin their network, troubleshoot their pc's, coordinate it projects and such... the php and mysql was just about 20% or so... all they knew was that I can learn it and want to learn it. so... they didnt just hire me for php and mysql..that would be silly of them. thats like hiring a chef to fix cars.

drew010...
name = "password"... yeah. i actually intend to do that.

thank you all for your replies. the more replies i get, the more i get to put in my notes to refer to later... that helps immensely. you guys freakin rock. i figure if i take all these comments down and incorporate it in my future code, six months or so down the line... id probably churn out code that might actually look like its made by a pro. again, thank you all.

what i was most concerned about...or was not sure about was whether a user would be able to somehow maliciously use any variables or values that were stored in POST... i havent thought about it much really...but i had a comment from somebody that in essence said that doing so was dangerous or somethin... i dont really know if thats true..but was enoug hto make me concerned about it.

ok guys.. if you have any more comments... id love to hear it.

take care.
ron
Post Reply