Page 2 of 2
Posted: Tue Sep 20, 2005 3:08 pm
by Roja
Charles256 wrote:they're taking away my right to ask for someone to hack me?:-D It should be my choice! that and i use the word communism whenever I am frustrated..

"They" are the elected governments in multiple democratic countries.
They aren't taking away your right to ask for someone to hack you, they are making the act of attacking computers ACROSS networks illegal. If you invited me to your house, and I could hook up my laptop to your LAN, which was disconnected from the internet, and told me I could hack your machine, then yes - you have that right.
You never had the right to volunteer the networks of companies, individuals, and other sovereign nations to your whims based on a weakly-authenticated forum post!
Lets get a little less sensational about our reaction to people trying to avoid prison (or simply doing the wrong thing), shall we?
We're simply trying to help people out, and not incite them to break the law. I'd say thats a far cry from communism, and much closer to reasonable.
Now, as to help..
Your email regex is not RFC compliant.
Here is a GPL'd (free/opensource!) function that does validation that is based on the definitive regex for email compliance.
You mix get and post in your form, it's generally a better idea to make the get parameters into hidden fields in the post form. (That can be a matter of preference).
You are having users submit passwords in cleartext, which means they can be sniffed. Use a javascript md5, sha1, or better, sha256 implementation to hash the passwords before transmission.
As Jcart mentioned, you are also trusting user input (bad), also not escaping sufficiently, and other issues.
Hope that helps..
Posted: Tue Sep 20, 2005 3:16 pm
by Charles256
appearantly you totally missed the part where I said communism is somethign i say when I'm frustrated. come down off the horse buddy boy;) it's okay. you're other comments where constructive but that first part wasn't needed:-D follow now on the communism comment? if not just let it go, no one really cares,right?:-D
also, where did i mix get and post? get isn't anywhere in that source code

however, you might be referring to request???? that's just to tell the page what to do
and in the off chance you are a communist I have nothing against the ideals, hell in an ideal world it's a great plan:-D
communism isn't mean as derogatory when coming from me, it's said in a joking manner.

I do apologize ifit offended you.
Posted: Tue Sep 20, 2005 3:25 pm
by Jenk
Two quick tips:
1. Only use htmlentities() and mysql_real_escape_string()
when you need to use them
Two reasons for this, first, you may be escaping unecessarily and end up with lots of '\' when you don't want them. (Such as using mysql_real_escape_string() before displaying a string) The other reason is double escaping, ending up with extra '\' and with htmlentities(), & (ampersand) itself is a char that is converted to an entity. E.g. '<' becomes '<' so if you ran that again, you'll get '<' which will display as '<' and not '<'. I prefer to use them immediately before I am using the variable for the relevant purpose. For example:
Code: Select all
<?php
/* mysql_real_escape_string() is used immediately before I communicate with mysql */
$username = mysql_real_escape_string($_POST['username']);
$result = mysql_query("SELECT * FROM users WHERE username = '$username'");
/* htmlentities() is used immediately before any output is to be sent to the browser */
$message = htmlentities($_POST['message']);
echo "<div id=\"msgbox\">$message</div>";
?>
Now, the above may just seem like simple common sense, but what I am trying to get at is the practice of keeping the users input 'as is' for a long as safely possible, before changing it.
The other thing to note with either of the aforementioned functions is do you really need to use it? Best example is passwords, 99/100 the password is going to be encrypted. So mysql_real_escape_string() is not necessary, as this actually changes the users password to be something else, should they for some reason decide to put an apostrophie or other offending char in their pwd.
2. magic_quotes.
Magic Quotes were added to PHP and in all honesty, were quite a clever idea.. what was not clever is they are either on or off and they
do not escape every character that poses a risk. Thus they pose a night mare for developers. The nightmare being some hosts have it switched on and some don't and the developer is powerless to change that (i.e. magic_quotes is immune to ini_set())
To ensure the proper use of mysql_real_escape_string() and to avoid double escaping, use a function such as the following:
Code: Select all
<?php
function sqlClean($sql) {
if (magic_quotes_gpc()) {
/* remove slashes added by magic_quotes */
$sql = stripslashes($sql);
}
return mysql_real_escape_string($sql);
}
/* usage is just the same as mysql_real_escape_string(), ala: */
$username = sqlClean($_POST['username']);
?>
Also remember to establish your mysql connection BEFORE using mysql_real_escape_string() !
Posted: Tue Sep 20, 2005 8:00 pm
by Roja
Charles256 wrote:appearantly you totally missed the part where I said communism is somethign i say when I'm frustrated.
Saying "I hate blonde haired people. I was just kidding about the blonde haired thing", doesn't erase you saying it.
If you didn't mean it, don't say it.
Charles256 wrote:come down off the horse buddy boy;) it's okay. you're other comments where constructive but that first part wasn't needed:-D follow now on the communism comment? if not just let it go, no one really cares,right?:-D
Its important that people understand
why we can't help them. It has nothing to do with Big Brother telling us that we can't use our computers, or the Red Menace removing people's rights.
I was just making that clear.
Charles256 wrote:also, where did i mix get and post? get isn't anywhere in that source code

however, you might be referring to request???? that's just to tell the page what to do
Code: Select all
<form name="login" action="index.php?page=members&testing=true" method="post">
The method is post. The variables page and testing are being sent via get. If you var_dump $_GET, and var_dump $_POST, you will see that there are variables in both.
Thats non-ideal. Its mixing variable sources, and means you have twice as much to clean/verify/etc. You should move page=members and testing=true to hidden fields in the form.
Charles256 wrote:and in the off chance you are a communist I have nothing against the ideals, hell in an ideal world it's a great plan:-D
communism isn't mean as derogatory when coming from me, it's said in a joking manner.

I do apologize ifit offended you.
Admittedly, security and the law is something I get touchy about. I just want people to understand that it is a reasonable requirement that restricts our ability to go attacking anyone.
Last week, Bob wanted us to go hack his homepage (
http://www.ebay.com ), and MAN, you wouldn't BELIEVE what we found...

Posted: Tue Sep 20, 2005 8:05 pm
by Charles256
aight.that's easy enough to fix. what can I say? I got URL happy

Posted: Tue Sep 20, 2005 8:09 pm
by Roja
Charles256 wrote:aight.that's easy enough to fix. what can I say? I got URL happy

Honestly, its a trivial thing.. just one thing I watch out for, because then you have to be careful about two superglobals.. Its always a nice thing to reduce the work you have to do.
Is it by definition a risk? Sure. A serious one? NAH. Just one of those things that you watch out for after you get bitten by it a few times.

Posted: Wed Sep 21, 2005 6:21 am
by Maugrim_The_Reaper
Roja wrote:You are having users submit passwords in cleartext, which means they can be sniffed. Use a javascript md5, sha1, or better, sha256 implementation to hash the passwords before transmission.
That actually does very little - if its the same password, its the same hash... Same hash in clear is just as insecure as password in the clear. What you probably intended was a challenge/response style process. The server generates a random hash, and inserts into a form field (in output HTML). This is also stored on the database/file for a limited time, and only for the current user's session_id. Client side, the browser executes a js function on form submission to hash a standard string, say: "username:hashedpassword:serverhash" called the Response. On receipt, server deletes the DB stored hash (after fetching it), generates the Response, and compares the two hashes.
if Client response == server generated response - authenticate, otherwise not. At the end of the day, the serverhash is sufficiently random to prevent anyone listening to network traffic to re-use the final hash, or to get the password. In the case above the password was hashed, then hashed again with the server challenge and username since I assume passwords are stored as hashes on the database.
Posted: Wed Sep 21, 2005 6:38 am
by Roja
Maugrim_The_Reaper wrote:That actually does very little - if its the same password, its the same hash... Same hash in clear is just as insecure as password in the clear.
No, actually, its not.
It doesn't allow an attacker to use that password to find likely variations on other sites. ie, if my password here was devnetpass, there is a strong chance that my ebay pass might be ebaypass.
So no, it is not "just as insecure", its actually substantially more secure. However..
Maugrim_The_Reaper wrote:What you probably intended was a challenge/response style process.
I always encourage the use of salts, especially time-limited or one-time salts (aka One-time Pads).
However, that is a seperate step: It takes the security even further.
Security is a series of steps, and while I completely agree that salting gives "far more" security than simply transmitting the hash v. the password, to say that passing a hash is "just as insecure" is wrong. There is a difference in the value to an attacker, and it is a non-trivial difference.
Posted: Wed Sep 21, 2005 6:45 am
by Maugrim_The_Reaper
Roja wrote:It doesn't allow an attacker to use that password to find likely variations on other sites. ie, if my password here was devnetpass, there is a strong chance that my ebay pass might be ebaypass.
People do that?

My bad, I hadn't assumed everyone used the same password...which does of course reflect reality all too sadly. I've never actually hashing in isolation since it doesn't add to security for the *local* site. A consideration I'd not noted prior to this.
The endless education process continues...

Posted: Wed Sep 21, 2005 7:47 am
by Charles256
become a member to 500 sites and try to remember 500 different passwords. either you use the same one or you write it down. either on eis bad mojo, it's that simple. and that whole hash checked against hash thing sounds...complex? heh..
Posted: Wed Sep 21, 2005 8:42 am
by Maugrim_The_Reaper
I was being sarcastic - fault of the Irish...
I do use similar passwords - usually a variation in them, and I divide between the truly private and unimportant sites. Since they're all variable to some degree and mix chars/nums I make do.
Posted: Wed Sep 21, 2005 9:17 am
by Roja
Maugrim_The_Reaper wrote:I do use similar passwords - usually a variation in them, and I divide between the truly private and unimportant sites. Since they're all variable to some degree and mix chars/nums I make do.
I simplified years ago. Most people guess some complicated combination of words, phrases, letters.. weird stuff.
By using 12345 as my password for everything, its easy, and unlikely to be guessed.
I even use it for my luggage.
Spaceballs wrote:So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!
Maugrim_The_Reaper wrote:I was being sarcastic - fault of the Irish...
I'm not Irish, but I'm definitely being sarcastic too.

Posted: Wed Sep 21, 2005 11:14 am
by Charles256
found out the other day i am irish......the red beard have it away..who woulda known...
Posted: Wed Sep 21, 2005 11:19 am
by Maugrim_The_Reaper
Sorry folks, but when I patent the unique genes that make people "Irish" I will be charging each and everyone if you lot a license fee. You may not use my property without my express permission. Cease immediately...or I call a L****r...