Page 1 of 1

Is this code security ?

Posted: Wed Jun 24, 2009 2:52 am
by goldensparrow
hi guy i'm creating login page but i'm not sure my code is security , isn't it ? Could anybody tell me Is this security ?
and if you have any idea , pls tell me
thanks

this is my form for login

Code: Select all

 
<form action="postlogin.php" method="post">
    <table width="100%" border="0" cellpadding="0" cellspacing="0" bgcolor="#E5B57A"align="center">
        <tr align="center">
          <td height="261" align="center" valign="middle">
          <p class="style2">Pattaya Library</p>
          <table width="300" border="0" align="center" cellpadding="0" cellspacing="0">
            <tr>
              <td width="50%"><div align="center">Username</div></td>
              <td width="50%"><input type="text" name="use" id="textfield" /></td>
            </tr>
            <tr>
              <td>&nbsp;</td>
              <td>&nbsp;</td>
            </tr>
            <tr>
              <td><div align="center">Password</div></td>
              <td><input type="password" name="pwd" id="textfield2" /></td>
            </tr>
          </table>
          <p>
            <input type="submit" name="button" id="button" value="Login" />
          </p>
          <p>
          <?
    if($_GET['err']==1){
        echo "<font color='#FF0000'><strong>Log in failed please try again </strong></font>";
    }else if ($_GET['err']==2){
        echo "<font color='#FF0000'><strong>Log in timeout please try again </strong></font>";
    }
    ?>
          </p>
 
 

this is postlogin.php

Code: Select all

 
<?session_start();?>
<?php include("../include/config.php")?>
<?
$sql="select * from libraly_user where user_username='".$_POST['use']."' and user_password='".$_POST['pwd']."'";
$rs=mysql_query($sql)or die(mysql_error());
$row=mysql_fetch_assoc($rs);
$num=mysql_num_rows($rs);
if($num>0){
    session_register("ss_use");
    session_register("ss_id");
    session_register("ss_lv");
    $_SESSION['ss_use']=$_POST['use'];
    $_SESSION['ss_lv']=$row['user_level'];
    $_SESSION['ss_id']=session_id;
    echo "<script>location.replace('index.php?pagetype=1');</script>";
}else{
    echo "<script>location.replace('login.php?err=1');</script>";
}
?>
 
note : i am working with php4 and mysql 4

Re: Is this code security ?

Posted: Wed Jun 24, 2009 3:11 am
by onion2k
No, it's not secure. You're vulnerable to SQL injection attacks because you're not escaping the user input. Read the manual page for mysql_real_escape_string().

Re: Is this code security ?

Posted: Wed Jun 24, 2009 4:47 am
by goldensparrow
thanks for your reply but i'm working with PHP Version 4.4.7 and value of magic_quotes_gpc=on .
1.why do i have to use mysql_real_escape_string() ? ,
if my php config set magic_quotes_gpc=on . it will return value like value of function addslash(), won't it ?
if my php config set magic_quotes_gpc=on is it not secure enough for attacking ?
2.should i use mysql_real_escape_string() only ? can i use addslash() instead mysql_real_escape_string() ?
3.how is it different between mysql_real_escape_string() and addslash() ? how is mysql_real_escape_string() better than addslash() ?

Re: Is this code security ?

Posted: Wed Jun 24, 2009 5:34 am
by Weirdan

Re: Is this code security ?

Posted: Wed Jun 24, 2009 6:24 am
by kaisellgren
goldensparrow wrote:i'm working with PHP Version 4.4.7
Consider upgrading http://www.php.net/downloads.php

Re: Is this code security ?

Posted: Wed Jun 24, 2009 6:52 am
by goldensparrow
beside mysql_real_escape_string() issue , this code have other vulnerable or weakness ?

Re: Is this code security ?

Posted: Wed Jun 24, 2009 7:03 am
by kaisellgren
Session Fixation attacks are pretty straightforward in your case.
goldensparrow wrote:this code have other weakness ?
You can pretty much always strengthen your application. Session security, for instance, can be made a lot stronger in many cases.

By the way, you inserted user supplied variables directly into the session variables, so, whenever you use those session variables, don't forget that they were supplied by the user.

Re: Is this code security ?

Posted: Wed Jun 24, 2009 7:57 am
by goldensparrow
kaisellgren wrote: By the way, you inserted user supplied variables directly into the session variables, so, whenever you use those session variables, don't forget that they were supplied by the user.
what should i do ? , pls to illustate with my code

thanks

Re: Is this code security ?

Posted: Wed Jun 24, 2009 8:20 am
by kaisellgren
I'm just reminding that the session variables contain possibly malicious data and are to be treated as any other input.