PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
<?php
session_start();
require("mysql.php"); // Requires a mysql class
$access = false; // I do not have register globals enabled
if (isset($_COOKIE["username"]) && isset($_COOKIE["password"]))
{
$username = escape($_COOKIE["username"]); // Escape is my escaping function, don't care about it
$password = escape($_COOKIE["password"]);
if (is_valid_up($username) && is_valid_up($password)) // is_valid_Up checks if username/password is valid format
{
$db = new mysql;
$db -> connect();
$db -> query("SELECT * FROM ".PREFIX."members WHERE (username='$username' AND password='$password');");
if ($db -> num_rows())
{
$access = true;
}
}
}
elseif (isset($_POST["log_in"]))
{
$username = escape($_POST["username"]); // Escape is my escaping function, don't care about it
$password = escape(secure($_POST["password"])); // The secure function hashes the argument and then returns it as hashed
if (is_valid_up($username) && is_valid_up($password)) // is_valid_Up checks if username/password is valid format
{
$db = new mysql;
$db -> connect();
$db -> query("SELECT * FROM ".PREFIX."members WHERE (username='$username' AND password='$password');");
if ($db -> num_rows())
{
$access = true;
}
}
}
if ($access)
// show member data
else
// dont show member data
?>
By trimmed I mean that I delete unnecessary code you won't gonna need to know.
Basically I came to here to ask help about security. Most of you say that storing password in cookies is bad etc. How would the script log in automatically then using cookies?
btw there is a security forum specifically for this kind of stuff.
Automatic login via cookies is always going to be insecure. Not to mention more work actually. I have never ever used a cookie directly in almost 2 years of PHP usage because sessions are a much better, more secure, alternative.
Also google "SQL injection" your script looks vulnerable.
ole wrote:btw there is a security forum specifically for this kind of stuff.
Automatic login via cookies is always going to be insecure. Not to mention more work actually. I have never ever used a cookie directly in almost 2 years of PHP usage because sessions are a much better, more secure, alternative.
Also google "SQL injection" your script looks vulnerable.
Maybe you are not using, but I am using with this forum. Everytime I come to devnetwork.net then I'll redirected to forums and automatically logged in and that's good. I would like to make the same for my system.
yep...make a string out of, say, the user's id, username, and password. Has that string, and store that in your cookie....that makes it almost impossible to hack, really (well, it makes the cookies almost impossible to hack, you still need to have secure script besides them )
-wyrmmage
Storing the username and password in a cookie is silly. It is no more secure than posting those values on a non-SSL page, except you would be posting those to every single page requested that satisfied the domain and path properties.
I have currently the script storing User ID and hashed Password in the cookies. I did it so because I noticed a lot of IPB boards using the same method. So IPBs are vulnerable or insecure?
kaisellgren wrote:I have currently the script storing User ID and hashed Password in the cookies. I did it so because I noticed a lot of IPB boards using the same method. So IPBs are vulnerable or insecure?
Your variable names should reflect what they actually contain. Calling something $_COOKIE['password'] when it actually contains a hashed copy of the password could confuse anyone who comes to maintain/use your code later.
To not go to offtopic, I'll mention again that I was searching for code improvements in my security code. I'm using cookies that store UserID and hashed password. Can someone tell me that is this A) Secure or B) Insecure ? If this is insecure, then what method I should use to able the automatic logins I want.
I understand that storing even hashed password in cookies makes it possible that anyone can get them for example from public computer or hacking into someone's computer. If smurf A gets the userid and password, he can make manually cookie and insert these details to login. The smurf, however, can not change password or other important details without knowing the unhashed password. The smurf can post messages and pretent to be someone else, but this is the failure of the someone who either has unsecure computer or used automatic logins in public computer. Right?