Page 1 of 1

how secure is this?

Posted: Sun Apr 23, 2006 11:28 am
by rami
Jcart | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


how strong is my script?
for login i am doing

Code: Select all

$query = "SELECT user_id,batch_id,name FROM students WHERE username='$u' AND password=PASSWORD('$p')";    
    

   $result = @mysql_query ($query); 
      $row = mysql_fetch_array ($result); 
        
      if ($row) { 
              
        session_start();      
          $_SESSION['user_id'] = $row[0];
$_SESSION['batch_id'] = $row[1];
(note:i know many will say not to use password()..i am trying to upgrade but here now i am trying to inquire about these $_SESSION.)


and i am protecting pages as(including this script in the beginning of page)

Code: Select all

if (!isset($_SESSION['user_id']))
{

	header ("Location:  http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . "index.php");
	ob_end_clean(); // Delete the buffer.
	exit(); // Quit the script.
	
} else {


HOW STRONG IS THIS METHOD AND USE OF SEESION.
FOr TEST only IT WAS NICE BUT NOW i am thinking of making real application that will contain some protected area setting a website.
i am afarid that this may later prove to be childish method when some people who know php find it..
how vunerable is it for hack(means is there any loops?)

for administrators page along with sesssion if (!isset($_SESSION['user_id']))(separate table)
i am also using HTTP authentication...
i have not used .htacess file for now...

normally i only use these as security ...
is that session security secure? or will it just prove to be security against users who dont know php?
how much vunerable is it from php hacking...?

any other methods recommended?which is strong?
normally according to experts (survey) which methods is preferred?

(note: i am updating that password() to sha and md5 soon...for now it is query about session)


Jcart | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Sun Apr 23, 2006 11:40 am
by John Cartwright
I would probably check their user permission instead of the existance of the session..

Code: Select all

if (!(isset($_SESSION['perm']) && $_SESSION['perm'] > $pagePermission)) {

...

}
other than that code wise it looks fine, but there are many ways to get around this..

shared host? plain-text transmission?

Posted: Sun Apr 23, 2006 11:43 am
by Chris Corbyn
By the way you might want to check this:

Code: Select all

$result = @mysql_query ($query);
      $row = mysql_fetch_array ($result);
If the query fails for whatever reason $result will contain the value false and thus mysql_fetch_array() will display an error ;)

Posted: Sun Apr 23, 2006 12:41 pm
by rami
firstly sorry for not using those php code...to be frank just copy pasted it from word file so ..will do it from next time


any way i totally didnt got mr jcart...
i am using the session as well so is he...what difference are there
beside i am also displaying data with the help of that user_id in session so i am using that user_id

isn't both things almost same with security issue


about 2nd answer..you are absolutely right it is
by the way will @ only solve my problem
what will solve my problem..do i have to change that?

frankly i am just 1 month old in this php
thanks for all help

Posted: Sun Apr 23, 2006 12:53 pm
by John Cartwright
Sorry for not being clear the first time..

Do all your pages have the same permission clearance? As in once they are logged in there is no difference between the users?

Do you have Admins and the Regular Users? If so, then you should consider checking their permission versus each page's set permission. Lets say I have a regular user with the lowest permission, and he tries to access an admin page. Your way, there is no possible way to identify him, because he does have a session.

My way, each page you should get a $pagePermission = 2;

1- normal users permission
2 - admin users permission

or something like that, and you check for a) the session exists and b) their permission matches or is greater than the page's permission.


Other than that, your code looks OK -- a couple improvements

Code: Select all

$u = mysql_real_escape_string($u);
   $u = mysql_real_escape_string($p);
 
   $query = "SELECT user_id,batch_id,name FROM students WHERE username='$u' AND password=PASSWORD('$p')";   
   
   $result = mysql_query($query) or die(mysql_error());
       
   if (mysql_num_rows($result)) 
   {
      session_start();  

      $row = mysql_fetch_array ($result);             
      
      $_SESSION['user_id'] = $row[0];   
      $_SESSION['batch_id'] = $row[1];
I don't know why didn't see this, but always pass your variables that are going into a query in mysql_real_escape_string to avoid SQL injection. Also, you should always add "or die(mysql_error());" to all your queries, because if the there is a syntax erorr there is an application problem. You don't want the rest of the code to be executed. With this modified code, if there arn't any rows found then we won't even try to fetch them (a small improvement).

Now, assuming you do want to use permissions

Code: Select all

//this is an admin page, lets set the correct permission
$pagePermission = 2;

if (!(isset($_SESSION['perm']) && $_SESSION['perm'] > $pagePermission)) 
{
   header ("Location:  http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . "index.php");
   ob_end_clean(); // Delete the buffer.
   exit(); // Quit the script.
}

Code wise, this code should be ok.. but that doesn't mean your application is safe. For example, if you are on a shared host people may be able to steal your sessions.

Posted: Sun Apr 23, 2006 1:28 pm
by rami
thanks for such comprehensive answer
ya just from another host also the conclusion was same
if i use shared web host..then
but it is ground truth ..most of people use shared web host(pay take domain....)
so may be i should cease using session as security
i have many level of user
and for each i have separate table
admin table
student table
teacher table
and other table for library and account..result

so i am using primary key of each table to start session and i have separate session checking for each level of student...and admin for eg for admin

Code: Select all

//if ($_SESSION['mypermission'] == 'admin')//tried this one as well
if (!isset($_SESSION['suser_id']))
{

	header ("Location:  http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . "index.php");
	ob_end_clean(); // Delete the buffer.
	exit(); // Quit the script.
	
} else {
so suser is primary key of admin table
so i think there is diff between admin and simple studnt but no any diff between
one student to another student..from my understanding i use to feel that as i have started session user_id which is unique for each student so there is some difference..but it is limited to display of result
no any significance is security?

thanks for all help

so which method should i use?