Page 1 of 2
FIND MY SECURITY HOLE... I GIVE YOU A NICKEL
Posted: Fri Jul 09, 2004 8:46 pm
by ronjon
Find My Security Hole... I Give You A Nickel
HELLO ALL.
PROFESSIONALS... I NEED YOUR HELP.
I HAVE RECENTLY GOT A JOB AT A DECENT PLACE THAT HIRED ME TO ADMIN THEIR NETWORK...AND... CODING A DYNAMIC WEBSITE WITH PHP AND MYSQL. WELL... IM A NEWBIE...IVE ONLY BEEN LOOKING AT MYSQL AND PHP FOR A WEEK. ANYHOW.. IVE BEEN CODING SOME STUFF FOR OUR WEBSITE. RIGHT NOW .. IM ONLY AT THE USER AUTHENTICATION PART. GIVEN THAT IM AN EXTREME NEWBIE... I DONT KNOW SECURITY...AT ALL ACTUALLY.
SO... FOR YOU PROFESSIONALS OUT THERE... I KNOW YOU ALL KNOW WHAT THINGS TO LOOK FOR WHEN IT COMES TO DEVEL0PING DYNAMIC PAGES FOR WEBSITES THAT NEED TO BE PRETTY SECURE. PLEASE LOOK AT MY CODE AND TELL ME IF THIS IS WORTHY OR BEING PUT UP AS A CORPORATE WEBSITE (CODE WISE... I'VE YET TO START CONSIDERING HARDWARE SECURITY AND ALL THAT.) PLEASE HELP...ALL THIS CODE IVE PUT TOGETHER IS FROM TEXT BOOKS AND ONLINE HELP...I HAVE GOT ONLY ABOUT 2 SEMESTERS OF PROGRAMMING COURSEWORK UNDER MY BELST...SO IM REALLY WEARY OF PUTTING ANYTHING UP THAT HASNT BEEN CRITIQUED BY A SEASONED PROFESSIONAL.
ANY INPUT WOULD BE REALLY HELPFUL.
THANK YOU ALL SO MUCH.
HERE IT GOES.
GATEWAY.PHP is the page that recieves user input
AUTHENTICATION.PHP is the php page that verifies user input with the database.
//GATEWAY.PHP
<html>
<body
<br /><br />
<p> my company name</p>
<form action = "AUTHENTICATION.PHP" method=post>
<input type="text" name="username">
USERNAME
<br>
<input type="text" name="password">
PASSWORD<br>
<input type="image" src="login.gif">
</form>
</body>
</html>
//AUTHENTICATION.PHP
<?
echo "MYCOMPANY INC. User Authentication routine.<br /><br />";
//RETRIEVING VARS FROM GATEWAY.PHP VIA POST
$username =$_POST['username'];
$password = $_POST['password'];
//CONNECTING TO DATABASE
$link = mysql_connect ('localhost', 'spinsykel', 'spinsykel');
if ($link)
{
echo "error: could not connect to database <br /><br />";
exit;
}
//RETRIEVING DATA FROM DATABASE
mysql_select_db('users');
$sql = "SELECT lastname FROM users WHERE password = '$password' AND firstname = '$username'";
$result = mysql_query($sql) or die (mysql_error());
//IF FINDS NO MATCHING PASSWORD AND USERNAME
if (mysql_num_rows($result) == 0)
{
echo "INVALID USERNAME AND/OR PASSWORD.
PLEASE CLICK BACK ON YOUR BROWSER AND
ENTER A VALID USERNAME AND PASSWORD.
THANK YOU.";
}
//IF FINDS NO MATCHING PASSWORD AND USERNAME
if (mysql_num_rows($result) ==1)
{
$row = mysql_fetch_array($result);
list(,$lastname) + each ($row);
echo 'RECORD FOUND! <br /><br />';
$username = ucfirst ($username);
$lastname = ucfirst ($lastname);
echo "$lastname, $username;
$found =1;
}
//IF FINDS MORE THAN ONE MATCHING PASSWORD AND USERNAME (BIG TROUBLE!)
if (mysql_num_rows($result) > 1)
{
echo "WE ARE HAVING TECHNICAL DIFFICULTIES AND
ARE UNABLE TO RETRIEVE YOUR USER INFORMATION AT
THIS TIME. PLEASE COME BACK AT A LATER TIME.
THANK YOU - INFORMATION SYSTEMS DEPRTMENT";
}
?>
Posted: Fri Jul 09, 2004 8:48 pm
by tim
you really need to use php tags to enclose your code
much easier to read and much easier to us to help you
forgive me for being such a newbie
Posted: Fri Jul 09, 2004 8:51 pm
by ronjon
i was under the impression that <? ?> were php tags... i didnt know that there are additional tags i could use to help my code be readable
i did put the "//" comments though..
i would love to use the php tags you are talking about though if it would help my code be more readable...
would you care to show me the php tags you are talking about?
if you do... id add it and report my code.
sincerely,
ron.
Posted: Fri Jul 09, 2004 8:54 pm
by tim
BBcode tags this forum offers
echo "HI";
compared to
before your code, add a [ php ] w/o the spaces before/after the braket, add a [ /php ] (again w/o spaces)
makes it so much easier to read. Your code seems secure, do you use any cookies and/or sessions?
Posted: Fri Jul 09, 2004 8:56 pm
by ronjon
Find My Security Hole... I Give You A Nickel
HELLO ALL.
PROFESSIONALS... I NEED YOUR HELP.
I HAVE RECENTLY GOT A JOB AT A DECENT PLACE THAT HIRED ME TO ADMIN THEIR NETWORK...AND... CODING A DYNAMIC WEBSITE WITH PHP AND MYSQL. WELL... IM A NEWBIE...IVE ONLY BEEN LOOKING AT MYSQL AND PHP FOR A WEEK. ANYHOW.. IVE BEEN CODING SOME STUFF FOR OUR WEBSITE. RIGHT NOW .. IM ONLY AT THE USER AUTHENTICATION PART. GIVEN THAT IM AN EXTREME NEWBIE... I DONT KNOW SECURITY...AT ALL ACTUALLY.
SO... FOR YOU PROFESSIONALS OUT THERE... I KNOW YOU ALL KNOW WHAT THINGS TO LOOK FOR WHEN IT COMES TO DEVEL0PING DYNAMIC PAGES FOR WEBSITES THAT NEED TO BE PRETTY SECURE. PLEASE LOOK AT MY CODE AND TELL ME IF THIS IS WORTHY OR BEING PUT UP AS A CORPORATE WEBSITE (CODE WISE... I'VE YET TO START CONSIDERING HARDWARE SECURITY AND ALL THAT.) PLEASE HELP...ALL THIS CODE IVE PUT TOGETHER IS FROM TEXT BOOKS AND ONLINE HELP...I HAVE GOT ONLY ABOUT 2 SEMESTERS OF PROGRAMMING COURSEWORK UNDER MY BELST...SO IM REALLY WEARY OF PUTTING ANYTHING UP THAT HASNT BEEN CRITIQUED BY A SEASONED PROFESSIONAL.
ANY INPUT WOULD BE REALLY HELPFUL.
THANK YOU ALL SO MUCH.
HERE IT GOES.
GATEWAY.PHP is the page that recieves user input
AUTHENTICATION.PHP is the php page that verifies user input with the database.
Code: Select all
<?
//GATEWAY.PHP
<html>
<body
<br /><br />
<p> my company name</p>
<form action = "AUTHENTICATION.PHP" method=post>
<input type="text" name="username">
USERNAME
<br>
<input type="password" name="password">
PASSWORD<br>
<input type="image" src="login.gif">
</form>
</body>
</html>
?>
//AUTHENTICATION.PHP
<?
echo "MYCOMPANY INC. User Authentication routine.<br /><br />";
//RETRIEVING VARS FROM GATEWAY.PHP VIA POST
$username =$_POST['username'];
$password = $_POST['password'];
//CONNECTING TO DATABASE
$link = mysql_connect ('localhost', 'spinsykel', 'spinsykel');
if (!$link)
{
echo "error: could not connect to database <br /><br />";
exit;
}
//RETRIEVING DATA FROM DATABASE
mysql_select_db('users');
$sql = "SELECT lastname FROM users WHERE password = '$password' AND firstname = '$username'";
$result = mysql_query($sql) or die (mysql_error());
//IF FINDS NO MATCHING PASSWORD AND USERNAME
if (mysql_num_rows($result) == 0)
{
echo "INVALID USERNAME AND/OR PASSWORD.
PLEASE CLICK BACK ON YOUR BROWSER AND
ENTER A VALID USERNAME AND PASSWORD.
THANK YOU.";
}
//IF FINDS NO MATCHING PASSWORD AND USERNAME
if (mysql_num_rows($result) ==1)
{
$row = mysql_fetch_array($result);
list(,$lastname) + each ($row);
echo 'RECORD FOUND! <br /><br />';
$username = ucfirst ($username);
$lastname = ucfirst ($lastname);
echo "$lastname, $username;
$found =1";
}
//IF FINDS MORE THAN ONE MATCHING PASSWORD AND USERNAME (BIG TROUBLE!)
if (mysql_num_rows($result) > 1)
{
echo "WE ARE HAVING TECHNICAL DIFFICULTIES AND
ARE UNABLE TO RETRIEVE YOUR USER INFORMATION AT
THIS TIME. PLEASE COME BACK AT A LATER TIME.
THANK YOU - INFORMATION SYSTEMS DEPRTMENT";
}
?>
yes i do intend to use sessions.
Posted: Fri Jul 09, 2004 8:58 pm
by ronjon
i have not incorporated it as of yet... but i will. i dont intend to use cookies...just sessions.. ive been given the impression that sessions are the way to go.
do you have any additional input regarding using sesisons?
thank you sir.
-ron
Posted: Fri Jul 09, 2004 10:34 pm
by feyd
I seriously don't appreciate the capslock usage in your posts ronjon.
Posted: Fri Jul 09, 2004 10:54 pm
by redmonkey
ronjon wrote:PLEASE LOOK AT MY CODE AND TELL ME IF THIS IS WORTHY OR BEING PUT UP AS A CORPORATE WEBSITE
No it is not.
thanks for the replies
Posted: Sat Jul 10, 2004 1:21 am
by ronjon
feyd... sorry about the caps lock. i didnt think people actually thought it as a big deal... but ok. ill keep from using it.
redmonkey...
thanks for the comment...although.. can you tell me anything about why its not worthy? you dont have to go into detail... but, can you give me some idea as to what i should look up on the net that i could incorporate to make the code more enterprise worthy? please?
thanks you all.
-ron
Posted: Sat Jul 10, 2004 2:00 am
by kettle_drum
-indentation.
-check POST values for xss.
Posted: Sat Jul 10, 2004 2:03 am
by kettle_drum
Split if into more managible chucks so it can be re-used....is this the only page where you connect to the database?
Posted: Sat Jul 10, 2004 3:43 am
by PrObLeM
i would like 2 say 2 things ...
1. you do like your caps dont you
2. i hope spinsykel isnt your password....
Code: Select all
mysql_connect ('localhost', 'spinsykel', 'spinsykel');
Posted: Sat Jul 10, 2004 5:39 am
by redmonkey
Code: Select all
<input type="text" name="password">
I must admit, it has been a while since I have seen this level of schoolboy error. Using type 'text' for your password box means that anyone lurking around (or even walking passed) the user as they logon will be able to see their passowrd in plain text.
Code: Select all
$sql = "SELECT lastname FROM users WHERE password = '$password' AND firstname = '$username'";
Try googling for 'SQL Injection' for this one.
Code: Select all
$result = mysql_query($sql) or die (mysql_error());
While mysql_error may give useful error messages when developing/debugging it can give away too much information on a production site.
Code: Select all
//CONNECTING TO DATABASE
$link = mysql_connect ('localhost', 'spinsykel', 'spinsykel');
if ($link)
{
echo "error: could not connect to database <br /><br />";
exit;
}
Have you tested this script? That piece of code should throw an error on succesfully connecting to the database???
While I appreciate that you have minimal experience with PHP this is nowhere near the level of acceptance for a corporate site.
You will also have a (at least one) parse error within your code, you are missing a closing quote on one of your echos.
Posted: Sat Jul 10, 2004 10:04 am
by patrikG
moved to PHP Code.
all comments and suggestions taken and thought about
Posted: Sat Jul 10, 2004 12:57 pm
by ronjon
gabidi..
yeah... the $link thing... i actually just copied it wrong. i forgot to bring the code home so i had to copy it from a printout... i just forgot to type the !. the code works... i tested it. the only thing that im really worried about is the security. but good noticing.
as for the list command... ill look into it and figure out what you mean... since i am a newb... i odnt even know what you mean by scalar variables...but ill definitely look into what you're suggesting.
as for the echo... not sure what you mean ... but again... ill look into that as well.
also, thank you for your congratulations... i appreciate it. im excited about the job and am looking forward to learning coding more in depth so that i can add that to my title as well == job security and more financial compensation in the long run
buzzly...
i forgot to mention... that 80% of what they hired me for was to admin their network, troubleshoot their pc's, coordinate it projects and such... the php and mysql was just about 20% or so... all they knew was that I can learn it and want to learn it. so... they didnt just hire me for php and mysql..that would be silly of them. thats like hiring a chef to fix cars.
drew010...
name = "password"... yeah. i actually intend to do that.
thank you all for your replies. the more replies i get, the more i get to put in my notes to refer to later... that helps immensely. you guys freakin rock. i figure if i take all these comments down and incorporate it in my future code, six months or so down the line... id probably churn out code that might actually look like its made by a pro. again, thank you all.
what i was most concerned about...or was not sure about was whether a user would be able to somehow maliciously use any variables or values that were stored in POST... i havent thought about it much really...but i had a comment from somebody that in essence said that doing so was dangerous or somethin... i dont really know if thats true..but was enoug hto make me concerned about it.
ok guys.. if you have any more comments... id love to hear it.
take care.
ron