Is this code security ?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
goldensparrow
Forum Commoner
Posts: 30
Joined: Wed Jun 17, 2009 3:31 am

Is this code security ?

Post by goldensparrow »

hi guy i'm creating login page but i'm not sure my code is security , isn't it ? Could anybody tell me Is this security ?
and if you have any idea , pls tell me
thanks

this is my form for login

Code: Select all

 
<form action="postlogin.php" method="post">
    <table width="100%" border="0" cellpadding="0" cellspacing="0" bgcolor="#E5B57A"align="center">
        <tr align="center">
          <td height="261" align="center" valign="middle">
          <p class="style2">Pattaya Library</p>
          <table width="300" border="0" align="center" cellpadding="0" cellspacing="0">
            <tr>
              <td width="50%"><div align="center">Username</div></td>
              <td width="50%"><input type="text" name="use" id="textfield" /></td>
            </tr>
            <tr>
              <td>&nbsp;</td>
              <td>&nbsp;</td>
            </tr>
            <tr>
              <td><div align="center">Password</div></td>
              <td><input type="password" name="pwd" id="textfield2" /></td>
            </tr>
          </table>
          <p>
            <input type="submit" name="button" id="button" value="Login" />
          </p>
          <p>
          <?
    if($_GET['err']==1){
        echo "<font color='#FF0000'><strong>Log in failed please try again </strong></font>";
    }else if ($_GET['err']==2){
        echo "<font color='#FF0000'><strong>Log in timeout please try again </strong></font>";
    }
    ?>
          </p>
 
 

this is postlogin.php

Code: Select all

 
<?session_start();?>
<?php include("../include/config.php")?>
<?
$sql="select * from libraly_user where user_username='".$_POST['use']."' and user_password='".$_POST['pwd']."'";
$rs=mysql_query($sql)or die(mysql_error());
$row=mysql_fetch_assoc($rs);
$num=mysql_num_rows($rs);
if($num>0){
    session_register("ss_use");
    session_register("ss_id");
    session_register("ss_lv");
    $_SESSION['ss_use']=$_POST['use'];
    $_SESSION['ss_lv']=$row['user_level'];
    $_SESSION['ss_id']=session_id;
    echo "<script>location.replace('index.php?pagetype=1');</script>";
}else{
    echo "<script>location.replace('login.php?err=1');</script>";
}
?>
 
note : i am working with php4 and mysql 4
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: Is this code security ?

Post by onion2k »

No, it's not secure. You're vulnerable to SQL injection attacks because you're not escaping the user input. Read the manual page for mysql_real_escape_string().
goldensparrow
Forum Commoner
Posts: 30
Joined: Wed Jun 17, 2009 3:31 am

Re: Is this code security ?

Post by goldensparrow »

thanks for your reply but i'm working with PHP Version 4.4.7 and value of magic_quotes_gpc=on .
1.why do i have to use mysql_real_escape_string() ? ,
if my php config set magic_quotes_gpc=on . it will return value like value of function addslash(), won't it ?
if my php config set magic_quotes_gpc=on is it not secure enough for attacking ?
2.should i use mysql_real_escape_string() only ? can i use addslash() instead mysql_real_escape_string() ?
3.how is it different between mysql_real_escape_string() and addslash() ? how is mysql_real_escape_string() better than addslash() ?
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: Is this code security ?

Post by Weirdan »

User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Is this code security ?

Post by kaisellgren »

goldensparrow wrote:i'm working with PHP Version 4.4.7
Consider upgrading http://www.php.net/downloads.php
goldensparrow
Forum Commoner
Posts: 30
Joined: Wed Jun 17, 2009 3:31 am

Re: Is this code security ?

Post by goldensparrow »

beside mysql_real_escape_string() issue , this code have other vulnerable or weakness ?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Is this code security ?

Post by kaisellgren »

Session Fixation attacks are pretty straightforward in your case.
goldensparrow wrote:this code have other weakness ?
You can pretty much always strengthen your application. Session security, for instance, can be made a lot stronger in many cases.

By the way, you inserted user supplied variables directly into the session variables, so, whenever you use those session variables, don't forget that they were supplied by the user.
goldensparrow
Forum Commoner
Posts: 30
Joined: Wed Jun 17, 2009 3:31 am

Re: Is this code security ?

Post by goldensparrow »

kaisellgren wrote: By the way, you inserted user supplied variables directly into the session variables, so, whenever you use those session variables, don't forget that they were supplied by the user.
what should i do ? , pls to illustate with my code

thanks
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Is this code security ?

Post by kaisellgren »

I'm just reminding that the session variables contain possibly malicious data and are to be treated as any other input.
Post Reply