Page 1 of 1

Is my Sign Up secure?

Posted: Fri Dec 03, 2010 10:33 pm
by condoravenue1
http://breckenridge-snow-report.com/test/

This site has no purpose, I am just learning. Right now, it is not user friendly, and it's ugly. I don't care about that right now. I just want to know if this data is safe or protected. You may "sign up" if you'd like, I won't use or keep the info.

1. Could a spammer get into the all the emails?
2. Could someone figure out a user's username and password?
3. If the password field was instead credit card info, would it be safe too?
4. On another note, could robots or something find a way to create fake accounts on this?

Keep in mind I don't know much php or javascript or mySQL. I am learning it for the first time. Thanks for all your help.

Re: Is my Sign Up secure?

Posted: Sat Dec 04, 2010 3:28 am
by condoravenue1
If you approve of my first example, see my expanded version. http://breckenridge-snow-report.com/test2/

There are some hashing things in there, but I really don't have a clue if any of that is secure or not.

Thanks for your help.

Re: Is my Sign Up secure?

Posted: Sat Dec 04, 2010 2:40 pm
by califdon
There's no way to answer your questions without knowing the code you are using.

Basically, you should understand that absolutely nothing on the web is 100% safe from hackers. Unless you use an https:// server, everything is sent over the Internet in the clear and can be captured by software at strategic points. Unless you are a security expert with years of experience behind you, I wouldn't recommend even trying to handle sensitive data like credit card numbers.

Your starting point should be to study Internet security by reading books or attending classes. You will never learn enough by asking questions in a forum to be able to consider your site "safe."

On the other hand, if you're just trying to create a personal site with a few protections from the most obvious exploits, you can probably acquire enough knowledge by reading online security tutorials. But don't handle any truly sensitive data!

Re: Is my Sign Up secure?

Posted: Sat Dec 04, 2010 6:49 pm
by condoravenue1
There's no way to answer your questions without knowing the code you are using.
I posted this on a different forum. I noticed that everyone was trying to answer my questions without seeing my code. I didn't know you guys couldn't see it.

Anyways, I plan on making a few changes, then I will update it here, and show some of the coding along with it.

Re: Is my Sign Up secure?

Posted: Sat Dec 04, 2010 7:54 pm
by califdon
condoravenue1 wrote:I posted this on a different forum. I noticed that everyone was trying to answer my questions without seeing my code. I didn't know you guys couldn't see it.

Anyways, I plan on making a few changes, then I will update it here, and show some of the coding along with it.
2 requests: first, if you post code here, please use the "PHP Code" button when you are composing your post, to surround the code with

Code: Select all

 and [/syntax ] tags, to make it easier to read; and second, if you post an entire application script, it is unlikely to attract many people to take the time to study it. The most effective way of getting someone to help is to narrow your questions as much as possible and then show us just the code that you are having trouble with.

Re: Is my Sign Up secure?

Posted: Mon Dec 06, 2010 3:24 am
by condoravenue1
My site: http://breckenridge-snow-report.com/test3/

Right now, I just want to know if there are any security problems with this site. It's not user friendly at the moment, but I think everything works.

I am aware that there are some valid emails (^{.%@gmail.com) that won't get validated the way I coded it, but I could care less about that cause no one has that sort of email.

Can people hack in and get other people's usernames and passwords?
Can robots create fake profiles?
Do you see any other problems?
I couldn't get sessions to work. That's supposed to be easy, but I couldn't figure it out and used cookies instead. Which should I use for this site, cookies or sessions?

Here is the code for the file that validates the info after someone creates an account.

Code: Select all

<?php

$con = mysql_connect("localhost","brecke5","********");
mysql_select_db("brecke5_people", $con);

$pword = $_POST[password];
$cpword = $_POST[cpassword];
$phashed = sha1($pword);
$code = sha1(uniqid(rand()));
$username = $_POST[username];
$email = $_POST[email];
$dob = $_POST[dobMonth] . "/" . $_POST[dobDay] . "/" . $_POST[dobYear];

//Check username availability
$result = mysql_query("SELECT * FROM perm WHERE username='$username'");
while($row = mysql_fetch_array($result))
{
die("The username you have chosen is not available.");
}

//Check for duplicate email
$result = mysql_query("SELECT * FROM perm WHERE email='$email'");
while($row = mysql_fetch_array($result))
{
die("You already have an account with this email.");
}

//validate
if (strlen($pword) < 8) {die ("Password too short.");}
if ($pword != $cpword) {die ("Passwords didn't match.". $pword . $cpword);}
if (strlen($username) < 6) {die ("Username too short.");}
if (strlen($username) > 20) {die ("Username too long.");}
if ($_POST[dobMonth] == "" || $_POST[dobDay] == "" || $_POST[dobYear] == "") {die ("Date of birth invalid.");}
if ($email == "") {die ("Email invalid.");}
if (strlen($email) > 40) {die ("Email too long (> 40).");}
if (!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)) {die ("Email invalid.");}


mysql_query("INSERT INTO temp (code, username, email, password, dob)
VALUES ('$code', '$username', '$email', '$phashed', '$dob')");

mysql_close($con);

$to = $email;
$subject = "Sing Up";
$message = "Please visit the following link to confirm your account: http://breckenridge-snow-report.com/test3/confirm.php?passkey=$code";
$from = "My Site";
$headers = "From: $from";
mail($to,$subject,$message,$headers);
echo "Please check your email to confirm your account.";
?>
Here is the code for the page that validates when the user tries to change password.

Code: Select all

<?php
if(!isset($_COOKIE['username'])) {header("location: login.php");}

$npword = $_POST["new"];
$npword2 = $_POST["new2"];
$nphashed = sha1($npword);
$cpword = $_POST["current"];
$cphashed = sha1($cpword);
$username = $_COOKIE['username'];


$con = mysql_connect("localhost","brecke5","********");
mysql_select_db("brecke5_people", $con);
$result = mysql_query("SELECT * FROM perm
WHERE username='$username'");
while($row = mysql_fetch_array($result)) {$current = $row['password'];}

//validate
if ($current != $cphashed) {die("Invalid old password.");}
if ($npword != $npword2) {die ("New passwords did not match.");}
if (strlen($npword) < 8) {die ("New password too short.");}

mysql_query("UPDATE perm SET password = '$nphashed'
WHERE username = '$username'");
mysql_close($con);
?>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" 
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Password Changed</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8;">
</head>
<body>
<p>Your password has successfully been changed.<br><a href = "myaccount.php">My Account</a></p>
</body> 
</html>
If you need to see other code, let me know.

Thanks for all the help.

Re: Is my Sign Up secure?

Posted: Mon Dec 06, 2010 8:01 am
by matthijs
First step is validating all incoming data. For example

Code: Select all

$clean = array();
if (ctype_alnum($_POST['username']))
{
    $clean['username'] = $_POST['username'];
}
Then, whenever you deal with a database, escape the data in your queries. For mysql, that's mysql_real_escape_string()

Code: Select all

$mysql = array();

$mysql['username'] = mysql_real_escape_string($clean['username']);

$sql = "SELECT *
        FROM   perm
        WHERE  username = '{$mysql['username']}'";

$result = mysql_query($sql);
A good introduction in php security is this book
http://phpsecurity.org/

Re: Is my Sign Up secure?

Posted: Mon Dec 06, 2010 2:31 pm
by califdon
condoravenue1 wrote:Can people hack in and get other people's usernames and passwords?
Can robots create fake profiles?
Do you see any other problems?
I couldn't get sessions to work. That's supposed to be easy, but I couldn't figure it out and used cookies instead. Which should I use for this site, cookies or sessions?
Matthijs is one of our top security guys, so take his advice.

To address your specific questions above, I'd say Yes, it's quite possible to hack into your database, if you don't use mysql_real_escape_string() to defeat SQL injection. And Yes, robots can easily supply data to create accounts, if you don't use CAPTCHA or some similar means of weeding out non-human responses, and even those are not 100% secure.

Sessions and cookies do different things, so it's not a matter of which one is better, it's a matter of what you want to do. Do you need to store data on the user's computer to recognize a person returning to the site from the same computer? If so, you have to use cookies. If you only need to keep track of a user while they are on your site in the same session, then you need to use Sessions (guess why it's named that?).

Re: Is my Sign Up secure?

Posted: Mon Dec 06, 2010 9:20 pm
by condoravenue1
matthijs gave two suggestions. On the first one - ctype_alnum()... Could I choose to use it this way instead? (I did not put this in the code yet.)

Code: Select all

if (!ctype_alnum($_POST['username']) {die ("Invalid username. Must be alpha-numeric.");}
$username = $_POST[username];
I know some people say using the die (""); is bad practice, but I only have it there temporarily.

On the second suggestion - mysql_real_escape_string()... I tried to do it without arrays.

Code: Select all

$username = mysql_real_escape_string($_POST[username], $con);
$email = mysql_real_escape_string($_POST[email], $con);

mysql_query("INSERT INTO temp (code, username, email, password, dob)
VALUES ('$code', '{$username}', '{$email}', '$phashed', '$dob')");
Using mysql_real_escape_string() seemed to have no effect. I tried to read all about this function. Everyone says to just throw it in your code (as I did above), but no one explains what it does. What does it do?

The site seems to be running really slow for me. Is the site running slow for anyone else? Do you know why?

From what califdon said, I think using sessions would be more appropriate. Right now it uses cookies that expire after one hour. The only reason I am trying to use cookies/sessions is because I want people to be able to sign in, edit their info/add info to their record. I would also like there to be the option of the browser remembering the username/password. That option is working now, but I don't know if it is because of the cookies or not.

Here is some code that I put at the top of each page to check if the user is logged in and to direct them to the appropriate page.

Code: Select all

<?php
if (isset($_COOKIE['username'])) {header("location:myaccount.php");}
?>
One unrelated question: I have noticed that [username], ['username'] and ["username"] seem to work at least sometimes. Does it matter how I do this?
Thanks for the help.

Re: Is my Sign Up secure?

Posted: Tue Dec 07, 2010 1:53 am
by matthijs
condoravenue1 wrote:On the first one - ctype_alnum()... Could I choose to use it this way instead? (I did not put this in the code yet.)
You could of course. But the question is, why would you? Is the code cleaner or more secure the way you want to do it? I personally think not.
condoravenue1 wrote:Using mysql_real_escape_string() seemed to have no effect
That's the idea. It shouldn't have any effect, besides escaping "dangerous" characters which could be used to perform a mysql injection attack. But it is really necessary to use it.
condoravenue1 wrote:The site seems to be running really slow for me. Is the site running slow for anyone else? Do you know why?
Could be many things. You could start by installing Firebug (in Firefox) or a similar plugin and see what takes so long.

Re: Is my Sign Up secure?

Posted: Tue Dec 07, 2010 1:59 am
by condoravenue1

Code: Select all

It shouldn't have any effect, besides escaping "dangerous" characters which could be used to perform a mysql injection attack. But it is really necessary to use it.
What are those dangerous characters? like ";" or "}"? I inputed those, and with the code I gave below, they were all recorded into the table.

Re: Is my Sign Up secure?

Posted: Tue Dec 07, 2010 2:10 am
by matthijs
You should really do some reading about what mysql injection is (and the other most obvious potential vulnarebilities in web applications). Just do a quick google search and read some articles
For example,
http://shiflett.org/articles/sql-injection

Re: Is my Sign Up secure?

Posted: Tue Dec 07, 2010 1:18 pm
by califdon
condoravenue1 wrote:I know some people say using the die (""); is bad practice, but I only have it there temporarily.
That's correct. It is nearly essential while you are getting your script to work properly, but then you want to remove or disable it, so that potential hackers don't see diagnostic information that might help them target your site.
condoravenue1 wrote:Here is some code that I put at the top of each page to check if the user is logged in and to direct them to the appropriate page.

Code: Select all

<?php
if (isset($_COOKIE['username'])) {header("location:myaccount.php");}
?>
That works, of course, but what if your user has disabled cookies in their browser? I've seen estimates of 5% of users do. There is no need to refer to the user's computer for this purpose. That's what $_SESSION variables are for.
condoravenue1 wrote:One unrelated question: I have noticed that [username], ['username'] and ["username"] seem to work at least sometimes. Does it matter how I do this?
Thanks for the help.
This is basic PHP syntax. The first one is simply wrong and doesn't work. The operation of single-quotes and double-quotes is identical, with one exception: PHP will replace the value of simple variables ($xyz)--but not arrays or functions--inside double-quotes. It won't, inside single-quotes.

Re: Is my Sign Up secure?

Posted: Wed Dec 08, 2010 10:03 pm
by condoravenue1
I moved the site to http://breckenridge-snow-report.com/somename.

I looked through Daniel's PHP Security tutorial, but it was a little bit too advanced for me.

Is my site protected from SQL injections?

When errors are encountered, a new error_log file (permissions: 0400) pops up in my directory. Does my site report errors in a safe way?

I switched over to using sessions rather than cookies. Here is how I did it.

If login was successfull:

Code: Select all

session_start();
$_SESSION['username']= $username;
Then, at the top of each page, I put something like this to check if user is logged in:

Code: Select all

session_start();
if(isset($_SESSION['username'])){header("location: index.php");}
Is there any problems with this way of doing it?

So 3 questions:
1. Safe from sql injections?
2. Safe error reporting?
3. Safe use of sessions?


Thanks for your help.