Page 2 of 3

Posted: Thu Dec 07, 2006 6:35 am
by onion2k
neel_basu wrote:md5 can Be Decrypted here Is Someone Who Decrypt The md5 Encryption
Considering MD5 isn't encryption that'd be very difficult. All this is is a database of words with their hash. There's only 166,642,636 entries, that's not even scratched the surface when it comes to a security issue. Just remember to use a salt and there's no problem whatsoever.

The only people who panic about this sort of thing are people who don't really understand it.

Posted: Thu Dec 07, 2006 7:31 am
by Jaxolotl
by the way, you may use a padding string to secure your MD5 code

for example

Code: Select all


///this is easy to crack

$my_word= "art";

$hashed = md5($my_word);

//this is not so easy

/* **************************************
*             ENCRYPTATION              *
*************************************** */
function encrypt($string){
	$hash1 = "t0d0b1ch0qu3c4m1n4";
	$hash2 = "v@par4rál4sàd0r";
	return md5($hash1.$string.$hash2);
}

$hashed = encrypt($my_word);

// AND SO ON
is always a compromise between the security needed an the resources you expect to use (price, time, compexity,speed, etc.)
you may also split the digest result into 2 strings and store them in two db fields.....
creativity is always there to help us isn't it?

Posted: Thu Dec 07, 2006 8:16 am
by kaisellgren
Jaxolotl wrote:
kaisellgren wrote:Thanks for the help.

So I'll use cookies to store username and password for 2 weeks. Then ill check if cookies username and password foud and they match database, then ill set some session variables to gain logged access right?
To store such data in a coockie is really unsafe, I suggesto you to store for example some unique identification on coockie (you may use the MD5 hash of the user id for example) and then make a query where the coockie informations is equal to the user_id hashed . So you allways get a unique identification without compromising the password or username.
Is just a fast example to suggest you an idea, it would be better to think something cheaper (on resources) because this operation may hash the entire user_id table before get the match.
What's wrong with my suggestion?

Isn't this safe?

Code: Select all

$a = $_COOKIE["username"];
$b = $_COOKIE["password"];
// Of course they have to be validated but not typing it now...
$c = mysql_query("SELECT * FROM users WHERE username='$a' AND password='$b';");
if (mysql_num_rows($c))
 $access = true;
The only thing I may think of is that someone who is using public computer and not logging out compromises the security because someone else can check out the cookies for that computer... any other things to care about?

Hmm. Maybe hashing the password in the cookie. So no one can find out the orginal password, someone may log in with others details but cannot still know the password and therefore cannot even change it if I require a user to enter old password before changing it to new one. Is this correct?

Thanks for your great help guys.

Posted: Thu Dec 07, 2006 9:27 am
by neel_basu
$a = $_COOKIE["username"];
$b = $_COOKIE["password"];
// Of course they have to be validated but not typing it now...
$c = mysql_query("SELECT * FROM users WHERE username='$a' AND password='$b';");
if (mysql_num_rows($c))
$access = true;
No Its Not Safe

if A Hacker Open

http://www.yourdomain.com/phpfile.php?a ... b=somaebad

Then Your DataBase Is In Danger[/quote]

Posted: Thu Dec 07, 2006 9:30 am
by kaisellgren
neel_basu wrote:
$a = $_COOKIE["username"];
$b = $_COOKIE["password"];
// Of course they have to be validated but not typing it now...
$c = mysql_query("SELECT * FROM users WHERE username='$a' AND password='$b';");
if (mysql_num_rows($c))
$access = true;
No Its Not Safe

if A Hacker Open

http://www.yourdomain.com/phpfile.php?a ... b=somaebad

Then Your DataBase Is In Danger
[/quote]
?

I have register globals disabled so how could I someone set cookies through url? Also I didn't quite get that 'somaebad'... the username and password would be validated of course. No characters except a-z0-9 4-16 length or so...

Posted: Thu Dec 07, 2006 9:31 am
by neel_basu
Then Its All OK

Posted: Thu Dec 07, 2006 9:37 am
by neel_basu
No '#' Would Make The Password As a Comment Line

But Although Its Too Dificult

If Someone Makes A False Cokie With Username as admin#

and Open Your Cokie In A Text Editor And Then Spoil Your Cokie
Opening It And Then Changing The Body Content Of That Cokie With
That Bad cokies Body Content

And The Let Your Cokie To Interact With Your php Script

Posted: Thu Dec 07, 2006 9:40 am
by kaisellgren
neel_basu wrote:No '#' Would Make The Password As a Comment Line

But Although Its Too Dificult

If Someone Makes A False Cokie With Username as admin#

and Open Your Cokie In A Text Editor And Then Spoil Your Cokie
Opening It And Then Changing The Body Content Of That Cokie With
That Bad cokies Body Content

And The Let Your Cokie To Interact With Your php Script
Oh and again...

the $a and $b are validated completely. This means something like preg_match("/[\w]{4,16}/",$a); or so. I'm not aware of someone typing <span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span> in cookies. I'm more afraid of that someone may stole cookies and then someway use the information inside them to gain access.

Posted: Thu Dec 07, 2006 9:41 am
by neel_basu
Would You Please Tell Me A Bit More About smurf ??

Posted: Thu Dec 07, 2006 9:58 am
by kaisellgren
lol smurf is a text that some moderator changed recently... sorry for swearing ! :cry:

By smurf I mean something that would exploit my script.

Posted: Thu Dec 07, 2006 10:01 am
by neel_basu
Oh! Thanks
I Thought That smurf Is A Code snipet

Posted: Thu Dec 07, 2006 10:17 am
by John Cartwright
Storing your password in a cookie is a horrible security practice. Just don't do it, ever. And technically your query is still vulnerable to SQL injection, at minimum pass your data through mysql_real_escape_string().

What are you trying to accomplish by storing the password? Not to mention any cracker with half talent can read your cookies?

Posted: Thu Dec 07, 2006 10:20 am
by onion2k
kaisellgren wrote:Isn't this safe?

Code: Select all

$a = $_COOKIE["username"];
$b = $_COOKIE["password"];
// Of course they have to be validated but not typing it now...
$c = mysql_query("SELECT * FROM users WHERE username='$a' AND password='$b';");
if (mysql_num_rows($c))
 $access = true;
Go to PC.
Open text file that contains the cookie data.
Change username to Admin
Change password to ' or 1 or ' (including apostrophes).
Hit submit
Woo! I'm an admin.

A very basic and very obvious example of an SQL injection attack.

Posted: Thu Dec 07, 2006 10:26 am
by kaisellgren
onion2k wrote:
kaisellgren wrote:Isn't this safe?

Code: Select all

$a = $_COOKIE["username"];
$b = $_COOKIE["password"];
// Of course they have to be validated but not typing it now...
$c = mysql_query("SELECT * FROM users WHERE username='$a' AND password='$b';");
if (mysql_num_rows($c))
 $access = true;
Go to PC.
Open text file that contains the cookie data.
Change username to Admin
Change password to ' or 1 or ' (including apostrophes).
Hit submit
Woo! I'm an admin.

A very basic and very obvious example of an SQL injection attack.
Why you are not reading my code... :cry:

// Of course they have to be validated but not typing it now...

means that I check first for allowed chars a-z,0-9 and _ then I chekcthat lenght is between 4 and 16. then lastly ill addslashes(). Clear now?

Posted: Thu Dec 07, 2006 10:33 am
by John Cartwright
kaisellgren wrote:
onion2k wrote:
kaisellgren wrote:Isn't this safe?

Code: Select all

$a = $_COOKIE["username"];
$b = $_COOKIE["password"];
// Of course they have to be validated but not typing it now...
$c = mysql_query("SELECT * FROM users WHERE username='$a' AND password='$b';");
if (mysql_num_rows($c))
 $access = true;
Go to PC.
Open text file that contains the cookie data.
Change username to Admin
Change password to ' or 1 or ' (including apostrophes).
Hit submit
Woo! I'm an admin.

A very basic and very obvious example of an SQL injection attack.
Why you are not reading my code... :cry:

// Of course they have to be validated but not typing it now...

means that I check first for allowed chars a-z,0-9 and _ then I chekcthat lenght is between 4 and 16. then lastly ill addslashes(). Clear now?
You are mistaken, I have read your code fine, and your regex pattern will allow all characters as long as there are 4 alpha characters within the pattern.

\x1a username would pass, and likely cause your query to fail and give sensitive information to the cracker. Like a said, you want to AT MINIMUM pass all variables into the query through mysql_real_escape_string(), just in case something like this happens. Never rely on single layer security.

now to fix your regex expression

Code: Select all

/^[\w]{4,16}$/
should work