Login/Register security!

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

snarkiest
Forum Commoner
Posts: 30
Joined: Mon May 04, 2009 10:06 am
Location: Latvia
Contact:

Re: Login/Register security!

Post by snarkiest »

Will this login will be secure enough?
Yes, I know there is no md5. I just don't need it.

Code: Select all

<?PHP
include("connect.php");
include("vars.php");
 
if(isset($_POST['login']))
{
//If password field and username field is not completed give error and exit script. It could like below. I think it is correct.
 
    if (!$_POST['username'] | !$_POST['pass']) {
    echo $topregister;
    echo "<table width='323' class='toutborder' cellspacing='2' cellpadding='2'><tr width='100%'><td class='tinborder' align='center' width='10%'>We warned you. Did we not? Complete all of the required fields. <a href='javascript&#058;self.history.back();'>Return</a>.</td></tr></table>";
    echo $bottoml; echo $323; echo $bottomr;
    exit();
    }
 
//Now if they are filled in check it against db. 
        // Assign the username and password from the form to variables.
        $username = mysql_real_escape_string($_POST['username']);
        $password = mysql_real_escape_string($_POST['pass']);
        
        $sql= mysql_query("SELECT * FROM `ach_users` WHERE `username`='$username' AND `password`='$password'",$connect);
        $result=$sql;
        
        // This counts to see how many rows were found, there should be no more than 1
        $count=mysql_num_rows($result);
        if($count!=1){
            echo $toplogin;
            echo "<table width='323' class='toutborder' cellspacing='2' cellpadding='2'><tr width='100%'><td class='tinborder' align='center' width='10%'>Error: The password or username which you enetered is wrong.  <a href='javascript&#058;self.history.back();'>Return</a>.";
            echo $bottoml; echo $323; echo $bottomr;
        exit();
        }
        
        $username = mysql_real_escape_string($_POST['username']);
        $password = mysql_real_escape_string($_POST['pass']);
        
        $active=1;
        $check = mysql_query("SELECT * FROM `ach_users` WHERE `username`='$username' AND `password`='$password' AND `active`='$active'",$connect);
        $result1 = $check; 
        
        $check2 = mysql_num_rows($result1);
        if($check2!=0) 
        {
        echo $toplogin;
        echo "<table width='323' class='toutborder' cellspacing='2' cellpadding='2'><tr width='100%'><td class='tinborder' align='center' width='10%'>Error: Your account is suspened, you can't log in anymore.  <a href='javascript&#058;self.history.back();'>Return</a>.";
        echo $bottoml; echo $323; echo $bottomr;
        exit();
        }
        
        $username = mysql_real_escape_string($_POST['username']);
        $password = mysql_real_escape_string($_POST['pass']);
    
        list($check7) = mysql_fetch_row(mysql_query("SELECT `group` FROM `ach_users` WHERE `username`='$username' AND `password`='$password'",$connect));
        $result7 = $check7; 
        
        if($result7!=1) 
        {
        $ip = mysql_real_escape_string($_SERVER['REMOTE_ADDR']);
        
        $username = $_POST['username'];
        list($check8) = mysql_fetch_row(mysql_query("SELECT `id` FROM `ach_users` WHERE `username`='$username'",$connect));
        $id = $check8;
        
        $update = mysql_query("UPDATE `ach_users` SET `lastlogin`=NOW() ,`ip`='$ip' WHERE `id`='$id'",$connect);
        session_start();
        $_SESSION['ach_login'] = "1";
        $_SESSION['ach_group'] = "2";
        $_SESSION['ach_username'] = $_POST['username'];
        header("location:/ach/view_ach.php");
        }
        else
        {       
        $ip = mysql_real_escape_string($_SERVER['REMOTE_ADDR']);
        
        $username = $_POST['username'];
        list($check8) = mysql_fetch_row(mysql_query("SELECT `id` FROM `ach_users` WHERE `username`='$username'",$connect));
        $id = $check8;
        
        $update = mysql_query("UPDATE `ach_users` SET `lastlogin`=NOW() ,`ip`='$ip' WHERE `id`='$id'",$connect);
        session_start();
        $_SESSION['ach_login'] = "1";
        $_SESSION['ach_group'] = "1";
        $_SESSION['ach_username'] = $_POST['username'];
        header("location:/ach/view_ach.php");
        }
  
}
else
{
    echo $toplogin;
    echo "<form action='" . $_POST['PHP_SELF'] . "' method='post'>
<table width='323' class='toutborder' cellspacing='2' cellpadding='2'>
  <tr width='100%'>
    <td class='tinborder' algin='center' width='40%'>Username:</td>
    <td class='trstyle' align='center' width='60%'><input type='text' name='username'></td>
  </tr>
  <tr width='100%'>
    <td class='tinborder' algin='center' width='40%'>Password:</td>
    <td class='trstyle' align='center' width='60%'><input type='password' name='pass'/></td>
  </tr>
  <tr width='100%'>
    <td class='tinborder' algin='center' width='40%'>Remember:</td>
    <td class='trstyle' align='center' width='60%'><input type='checkbox' name='remember'/></td>
  </tr>
  <tr>
    <td colspan='2' align='center' class='trstyle'><input type='submit' name='login' value='Log In!'></td>
    </tr>
</table>
</form>";
echo $bottoml; echo $323; echo $bottomr;
}
 
?>
Paul Arnold
Forum Contributor
Posts: 141
Joined: Fri Jun 13, 2008 10:09 am
Location: Newcastle Upon Tyne

Re: Login/Register security!

Post by Paul Arnold »

I've only had a brief look. It's definitely looking better.
I will say, you assign $username and $password quite a few times.

Just putting the following two lines:

Code: Select all

 
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['pass']);
 
At the top of your script and then using those two variables throughout will be fine.
I know you say you don't need to use MD5 but hashing your passwords is extremely important, especially if you don't have a great knowledge of security.
Use SHA1 as an absolute minimum though, not MD5. It's more secure.
Ideally use something higher though like SHA256.
It's actually really easy once you understand it's purpose. The only drawback is you can't recover your passwords and have to reset them if lost.

It's definitely progressing though.

Edit: delete lines 59 and 74. You don't need them (as above) and they could be used for an SQL injection.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Login/Register security!

Post by kaisellgren »

snarkiest wrote:

Code: Select all

if (!$_POST['username'] | !$_POST['pass']) {
You should use ||, not |, which is an inclusive or...

What is $323? It's an invalid variable name... variables should be constructed in a form of $[a-zA-Z_][a-zA-Z0-9_]* and the support for non-English alphabets is discouraged.

You should hash your passwords.

Lines 60 & 75 are vulnerable to SQLi.

Line 90 is vulnerable to XSS attacks.
Paul Arnold wrote:I know you say you don't need to use MD5 but hashing your passwords is extremely important, especially if you don't have a great knowledge of security.
I would never tell anyone to not hash passwords, because it is important. It is not extremely important, but important. In my opinion, XSS and SQLi holes have a greater sense of insecurity than the inexistence of password hashing, but that does not mean you should not hash passwords - you absolutely should hash your passwords.
Paul Arnold wrote:Use SHA1 as an absolute minimum though, not MD5. It's more secure.
Ideally use something higher though like SHA256.
MD5 should not even be included within the same sentence with the word "secure". SHA-1 is compromised and more or less broken. SHA-2 family is not ideal, it is one good choice for those who want to build secure applications. Personally, I would use either SHA-2 or Whirlpool.
Paul Arnold wrote:It's actually really easy once you understand it's purpose.
Oh well, many developers do not understand the concepts of password hashing. I guess that depends.
Paul Arnold wrote:The only drawback is you can't recover your passwords
That is not a drawback - it is a feature. Hashes are supposed to be irreversible. That is what you want from them.
snarkiest
Forum Commoner
Posts: 30
Joined: Mon May 04, 2009 10:06 am
Location: Latvia
Contact:

Re: Login/Register security!

Post by snarkiest »

Ok, here is updated log in page.

Code: Select all

<?PHP
include("connect.php");
include("vars.php");
    $username = mysql_real_escape_string($_POST['username']);
    $password = mysql_real_escape_string($_POST['password']);
    $salt = hash('sha256',uniqid(mt_rand(),true));
    $hashed_password = hash('sha256',$password.$salt);
    
if(isset($_POST['login']))
{
//If password field and username field is not completed give error and exit script. It could like below. I think it is correct.
    if (!$_POST['username'] || !$_POST['password']) {
    echo $topregister;
    echo "<table width='323' class='toutborder' cellspacing='2' cellpadding='2'><tr width='100%'><td class='tinborder' align='center' width='10%'>We warned you. Did we not? Complete all of the required fields. <a href='javascript&#058;self.history.back();' class='link'>Return</a>.</td></tr></table>";
    echo $bottom323;
    exit();
    }
 
//Now if they are filled in check it against db.    
        $sql= mysql_query("SELECT * FROM `ach_users` WHERE `username`='$username' AND `password`='$hashed_password'",$connect);
        $result=$sql;
        
        // This counts to see how many rows were found, there should be no more than 1
        $count=mysql_num_rows($result);
        if($count!=1){
            echo $toplogin;
            echo "<table width='323' class='toutborder' cellspacing='2' cellpadding='2'><tr width='100%'><td class='tinborder' align='center' width='10%'>Error: The password or username which you enetered is wrong.  <a href='javascript&#058;self.history.back();' class='link'>Return</a>.</td></tr></table>";
            echo $bottom323;
        exit();
        }
        //This checks if users is active. 0 for active users, 1 for suspened.
        $active=1;
        $check = mysql_query("SELECT * FROM `ach_users` WHERE `username`='$username' AND `password`='$hashed_password' AND `active`='$active'",$connect);
        $result1 = $check; 
        
        $check2 = mysql_num_rows($result1);
        if($check2!=0) 
        {
        echo $toplogin;
        echo "<table width='323' class='toutborder' cellspacing='2' cellpadding='2'><tr width='100%'><td class='tinborder' align='center' width='10%'>Error: Your account is suspened, you can't log in anymore.  <a href='javascript&#058;self.history.back();' class='link'>Return</a>.</td></tr></table>";
        echo $bottom323;
        exit();
        }
    
        list($check7) = mysql_fetch_row(mysql_query("SELECT `group` FROM `ach_users` WHERE `username`='$username' AND `password`='$hashed_password'",$connect));
        $result7 = $check7; 
        
        if($result7!=1) 
        {
        $ip = mysql_real_escape_string($_SERVER['REMOTE_ADDR']);
        
        list($check8) = mysql_fetch_row(mysql_query("SELECT `id` FROM `ach_users` WHERE `username`='$username'",$connect));
        $id = $check8;
        
        $update = mysql_query("UPDATE `ach_users` SET `lastlogin`=NOW() ,`ip`='$ip' WHERE `id`='$id'",$connect);
        session_start();
        $_SESSION['ach_login'] = "1";
        $_SESSION['ach_group'] = "2";
        $_SESSION['ach_username'] = $_POST['username'];
        header("location:/ach/view_ach.php");
        }
        else
        {       
        $ip = mysql_real_escape_string($_SERVER['REMOTE_ADDR']);
        
        $id = $check8;
        
        $update = mysql_query("UPDATE `ach_users` SET `lastlogin`=NOW() ,`ip`='$ip' WHERE `id`='$id'",$connect);
        session_start();
        $_SESSION['ach_login'] = "1";
        $_SESSION['ach_group'] = "1";
        $_SESSION['ach_username'] = $_POST['username'];
        header("location:/ach/view_ach.php");
        }
  
}
else
{
    echo $toplogin;
    echo "<form action='" . $_POST['PHP_SELF'] . "' method='post'>
<table width='323' class='toutborder' cellspacing='2' cellpadding='2'>
  <tr width='100%'>
    <td class='tinborder' algin='center' width='40%'>Username:</td>
    <td class='trstyle' align='center' width='60%'><input type='text' name='username'></td>
  </tr>
  <tr width='100%'>
    <td class='tinborder' algin='center' width='40%'>Password:</td>
    <td class='trstyle' align='center' width='60%'><input type='password' name='password'/></td>
  </tr>
  <tr width='100%'>
    <td class='tinborder' algin='center' width='40%'>Remember:</td>
    <td class='trstyle' align='center' width='60%'><input type='checkbox' name='remember'/></td>
  </tr>
  <tr>
    <td colspan='2' align='center' class='trstyle'><input type='submit' name='login' value='Log In!'></td>
    </tr>
</table>
</form>";
echo "<table width='" . $tr . "' class='toutborder' cellspacing='2' cellpadding='2'><tr width='100%'><td class='tinborder' align='center' width='10%'><a href='' class='link'>Viking, Pirates, Ninjas and VPN</a> are Trademarks of <a href='http://www.meteorgames.com/' class='link'>Meteor Games LLC</a> and are used with permission for fan site purposes only.<br />
<a href='' class='link'>Viking, Pirates, Ninjas and VPN</a> text, graphic, sound and animation elements &copy; 2009 <a href='http://www.meteorgames.com/' class='link'>Meteor Games LLC</a>. All rights reserved. Used with permission. <br>All other content &copy; 2009 achLog.</td></tr></table></body></html>";
}
 
?>
Ok, returned the password hash and this time more secure. Thanks to you and your super cool blog! (: Just what type should I set for the password field in database now? How long is it? AND another thing, when I try to log in it shows me that I have wrong password. What is wrong in the script? I registered account with the new script and hashing and cannot log in. I think it is because of the math random unqiue id.
Register.php:

Code: Select all

<?PHP
include("connect.php");
include("vars.php");
 
//This code runs if the form ($register) has been submitted.
if (isset($_POST['register'])) {
        //This makes sure they did not leave any fields blank.
        if (!$_POST['username'] | !$_POST['pass'] | !$_POST['pass2'] | !$_POST['email'] | !$_POST['email2'] | !$_POST['vpncharacter'])        {
        echo $topregister;
        echo "<table width='323' class='toutborder' cellspacing='2' cellpadding='2'><tr width='100%'><td class='tinborder' align='center' width='10%'>We warned you. Did we not? Complete all of the required fields. <a href='javascript&#058;self.history.back();'>Return</a>.</td></tr></table>";
        echo $bottom323;
        exit();
        }
        //Validates the username.   
        $pattern = "/^[a-zA-Z0-9\-_]{3,}$/";
        $username = mysql_real_escape_string($_POST['username']);
        if(!preg_match($pattern,$username)) {
        echo $topregister;
        echo "<table width='323' class='toutborder' cellspacing='2' cellpadding='2'><tr width='100%'><td class='tinborder' align='center' width='10%'>Your username " . $_POST['username'] . " contains invalid characters. It can contain characters a-z, A-Z and numbers 0-9. You can also use underscores (_) or dashes (-). <a href='javascript&#058;self.history.back();'>Return</a>.</td></tr></table>";
        echo $bottom323;
        exit();
        } 
        //Checks if the username is in use.
        if (!get_magic_quotes_gpc()) {
        $_POST['username'] = addslashes($_POST['username']);
        }
        $usercheck = mysql_real_escape_string($_POST['username']);
        $check = mysql_query("
                             SELECT * FROM `ach_users` WHERE `username` = '$usercheck'
                             ",$connect);
        $check2 = mysql_num_rows($check);
        //If username exists then give error.
        if ($check2 != 0) 
        {
        echo $topregister;
        echo "<table width='323' class='toutborder' cellspacing='2' cellpadding='2'><tr width='100%'><td class='tinborder' align='center' width='10%'>Error: Sorry, the username "; 
        echo $_POST['username'];
        echo " is already in use. Maybe you should think of new one? <a href='javascript&#058;self.history.back();'>Return</a>.</td></tr></table>";
        echo $bottom323;
        exit();
        }
        //Validates the password.
        $pattern = "/^[a-zA-Z0-9]{6,16}$/";
        $pass = mysql_real_escape_string($_POST['pass']);
        if(!preg_match($pattern,$pass)) {
        echo $topregister;
        echo "<table width='323' class='toutborder' cellspacing='2' cellpadding='2'><tr width='100%'><td class='tinborder' align='center' width='10%'>Your password " . $_POST['pass'] . " contains invalid characters or is too long or too short. It can contain characters a-z, A-Z and numbers 0-9. And password has to be at least 6 characters short on at most 16 characters long. <a href='javascript&#058;self.history.back();'>Return</a>.</td></tr></table>";
        echo $bottom323;
        exit();
        } 
        //This makes sure both passwords entered match.
        if ($_POST['pass'] != $_POST['pass2']) {
        echo $topregister;
        echo "<table width='323' class='toutborder' cellspacing='2' cellpadding='2'><tr width='100%'><td class='tinborder' align='center' width='10%'>Error: Your passwords did not match. <a href='javascript&#058;self.history.back();'>Return</a>.</td></tr></table>";
        echo $bottom323;
        exit();
        }
        //Here we encrypt the password and add slashes if needed.
        $password = $_POST['pass'];
        $salt = hash('sha256',uniqid(mt_rand(),true));
        $hashed_password = hash('sha256',$password.$salt);
        
        //This makes sure both emails enetered match.
        if ($_POST['email'] != $_POST['email2']) 
        {
        echo $topregister;
        echo "<table width='323' class='toutborder' cellspacing='2' cellpadding='2'><tr width='100%'><td class='tinborder' align='center' width='10%'>Error: Your entered e-mails did not match. <a href='javascript&#058;self.history.back();'>Return</a>.</td></tr></table>";
        echo $bottom323;
        exit();
        }
        //Validates the e-mail.
        $email = mysql_real_escape_string($_POST['email']);
        if(!filter_var($email, FILTER_VALIDATE_EMAIL)) {
        echo "<table width='323' class='toutborder' cellspacing='2' cellpadding='2'><tr width='100%'><td class='tinborder' align='center' width='10%'>E-mail contains invalid characters. <a href='javascript&#058;self.history.back();'>Return</a>.</td></tr></table>";
        echo $bottom323;
        exit();
        } 
        //Checks if the e-mail is in use.
        if (!get_magic_quotes_gpc()) {
        $_POST['email'] = addslashes($_POST['email']);
        }
        $emailcheck = mysql_real_escape_string($_POST['email']);
        $check = mysql_query("SELECT * FROM `ach_users` WHERE `email`='$emailcheck'",$connect);
        $check2 = mysql_num_rows($check);
        //If email exists then give error.
        if ($check2 != 0) 
        {
        echo $topregister;
        echo "<table width='323' class='toutborder' cellspacing='2' cellpadding='2'><tr width='100%'><td class='tinborder' align='center' width='10%'>Error: Sorry, the e-mail "; 
        echo $_POST['email'];
        echo " is already in use. Maybe try some other working e-mail? <a href='javascript&#058;self.history.back();'>Return</a>.</td></tr></table>";
        echo $bottom323;
        exit();
        }
        //Checks if the vpn character name is in use.
        if (!get_magic_quotes_gpc()) {
        $_POST['vpncharacter'] = addslashes($_POST['vpncharacter']);
        }
        $vpncharactercheck = mysql_real_escape_string($_POST['vpncharacter']);
        $check = mysql_query("
                             SELECT * FROM `ach_users` WHERE `vpncharacter`='$vpncharactercheck'
                             ",$connect);
        $check2 = mysql_num_rows($check);
        //If character exists then give error.
        if ($check2 != 0) 
        {
        echo $topregister;
        echo "<table width='323' class='toutborder' cellspacing='2' cellpadding='2'><tr width='100%'><td class='tinborder' align='center' width='10%'>Error: Sorry, somebody else has signed up with this "; 
        echo $_POST['vpncharacter'];
        echo " character. <a href='javascript&#058;self.history.back();'>Return</a>.</td></tr></table>";
        echo $bottom323;
        exit();
        }
        $ip = mysql_real_escape_string($_SERVER['REMOTE_ADDR']);
    //Now we insert it into the database.
    $insert = mysql_query("INSERT INTO `ach_users` (username, password, regdatetime, ip, email, vpncharacter) VALUES ('".$_POST['username']."', '$hashed_password', NOW(), '$ip', '".$_POST['email']."', '".$_POST['vpncharacter']."')",$connect);
    $add_member = mysql_query($insert);
    echo $topregister;
    echo "<table width='323' class='toutborder' cellspacing='2' cellpadding='2'><tr width='100%'><td class='tinborder' align='center' width='10%'>Good news: Your account has been successfully created. You can now <a href='/ach/login.php'>log in</a>.</td></tr></table>";
    echo $bottom323;
    exit();
}
else {
echo $topregister;
echo "<table width='323' class='toutborder' cellspacing='2' cellpadding='2'><tr width='100%'><td class='tinborder' align='center' width='10%'>Hello, want to sign up? Do it below, but be sure to complete all fields and enter accurate information in case we need to contact you.</td></tr></table>";
echo "
      <form name='register' action='" . $_POST['PHP_SELF'] . "' method='post'>
      <table width='323' class='toutborder' cellspacing='2' cellpadding='2'>
      <tr width='100%'>
        <td class='tinborder' align='center' width='40%'>Username:</td>
        <td class='trstyle' align='center' width='60%'><input type='text' name='username'></td>
      </tr>
      <tr width='100%'>
        <td class='tinborder' align='center' width='40%'>Password:</td>
        <td class='trstyle' align='center' width='60%'><input type='password' name='pass'></td>
      </tr>
        <tr width='100%'>
        <td class='tinborder' align='center' width='40%'>Repeat password:</td>
        <td class='trstyle' align='center' width='60%'><input type='password' name='pass2'></td>
      </tr>
        <tr width='100%'>
        <td class='tinborder' align='center' width='40%'>E-mail:</td>
        <td class='trstyle' align='center' width='60%'><input type='text' name='email'></td>
      </tr>
          <tr width='100%'>
        <td class='tinborder' align='center' width='40%'>Repeat e-mail:</td>
        <td class='trstyle' align='center' width='60%'><input type='text' name='email2'></td>
      </tr>
        <tr width='100%'>
        <td class='tinborder' align='center' width='40%'>VPN Character:</td>
        <td class='trstyle' align='center' width='60%'><input type='text' name='vpncharacter'></td>
      </tr>
      <tr>
        <td colspan='2' align='center' class='trstyle' /><input type='submit' name='register' value='Create Account!' /></td>
        </tr>
    </table>
    </form>";
echo $bottom323;
}
?>
 
What is $323? It's an invalid variable name... variables should be constructed in a form of $[a-zA-Z_][a-zA-Z0-9_]* and the support for non-English alphabets is discouraged.
I know, it was temporally. Changed.
Lines 60 & 75 are vulnerable to SQLi.
Line 90 is vulnerable to XSS attacks.
Firstly what is XSS? Secondly how to make those lines not vulnerable? I checked, but couldn't find any better way.
You should use ||, not |, which is an inclusive or...
Done.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Login/Register security!

Post by kaisellgren »

How about you read this book http://www.amazon.com/php-architects-Gu ... 973862106/ ?

You have basic security holes in your scripts, and you are making new posts with big bunches of codes every now and then and I feel it is a bit pointless to nag you about all of them. Instead, you could learn the basics of security first, fix your script, and then ask if there is something you have missed.

The login fails, because you are giving the hash some pseudo random data.

You can also learn by reading Wikipedia: http://en.wikipedia.org/wiki/Cross-site_scripting
Paul Arnold
Forum Contributor
Posts: 141
Joined: Fri Jun 13, 2008 10:09 am
Location: Newcastle Upon Tyne

Re: Login/Register security!

Post by Paul Arnold »

kaisellgren wrote: I would never tell anyone to not hash passwords, because it is important. It is not extremely important, but important. In my opinion, XSS and SQLi holes have a greater sense of insecurity than the inexistence of password hashing, but that does not mean you should not hash passwords - you absolutely should hash your passwords.
What I meant by this is that if you don't have enough security knowledge (such as SQLi) then it becomes more important to hash your passwords as they're more vulnerable.
kaisellgren wrote: MD5 should not even be included within the same sentence with the word "secure". SHA-1 is compromised and more or less broken. SHA-2 family is not ideal, it is one good choice for those who want to build secure applications. Personally, I would use either SHA-2 or Whirlpool.
No arguments there.
kaisellgren wrote:
Paul Arnold wrote:The only drawback is you can't recover your passwords
That is not a drawback - it is a feature. Hashes are supposed to be irreversible. That is what you want from them.
I see it as a drawback in terms of if you wanted to go in and quickly see what your password is or recover someone's password by looking at the database directly, you can't do it if the password is hashed. But obviously the security benefits massively outweigh the drawbacks of having to program a script to reset passwords, allow users to reset their own etc.
snarkiest
Forum Commoner
Posts: 30
Joined: Mon May 04, 2009 10:06 am
Location: Latvia
Contact:

Re: Login/Register security!

Post by snarkiest »

kaisellgren wrote: Line 90 is vulnerable to XSS attacks.
Ok, so I've to use htmlspecialchars(); to prevent from XSS attacks, but how to properly insert it in to my log in page? And where? I ask because I don't understand what chars (where) should be escaped in script.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Login/Register security!

Post by kaisellgren »

snarkiest wrote:I don't understand what chars (where) should be escaped in script.
There is no definite answer. Usually you need to take care of < > " ' & characters, which are commonly needed for XSS attacks. The htmlspecialchars() -function can take care of those. If you output htmlspecialchars($_POST['email'],ENT_QUOTES,'UTF-8') and you specify your character set as UTF-8, then the line 90 of register.php is safe.
Post Reply