Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Moderator: General Moderators
pavanpuligandla
Forum Contributor
Posts: 130 Joined: Thu Feb 07, 2008 8:25 am
Location: Hyderabad, India
Post
by pavanpuligandla » Sat Sep 20, 2008 1:56 pm
Hii...
i've encrypted my password and inserted it into the database table, but when i tries to retrieve it i'm getting login failure..i'm herewith posting my source code..kindly go thru this and do the needful..
the passwords inserted are being successfull md5 encrypted but when i'm matching the entered password in the form with the original md5 password in database,i'm unable to login..
Code: Select all
<?php
//Connect to mysql server
$link=mysql_connect("localhost","root","");
if(!$link) {
die('Failed to connect to server: ' . mysql_error());
}
//Select database
$db=mysql_select_db("trrcollege");
if(!$db) {
die("Unable to select database");
}
//Sanitize the value received from login field
//to prevent SQL Injection
if(!get_magic_quotes_gpc()) {
$username=mysql_real_escape_string($_POST['username']);
}else {
$username=$_POST['username'];
}
$username = $_POST["username"];
$password = md5($_POST["password"]);
//Create query
$query="SELECT * FROM login WHERE username='" . mysql_real_escape_string($username) . "' AND password='".md5($_POST['password'])."'";
//require_once('attempt.log.class.php');
$result=mysql_query($query);
$rows2=mysql_fetch_array($result);
if($rows2["password"] == $password && $rows2["username"] == $username )
{
if(mysql_num_rows($result)>0)
{
//Login Successful
session_start();
$start=time();
$_SESSION['time_start']=$start;
$_SESSION['username']=$username;
$_SESSION['password']=$password;
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
session_register('username');
session_register('password');
session_register('time_start');
session_regenerate_id();
session_write_close();
include "session.php";
include "scsession.php";
include("class_session.inc.php");
header("Location: redirect.php");
exit();
}
else {
//Login failed
require_once('attempt.log.class.php');
session_unset();
session_destroy();
header("location: loginfail.htm");
exit();
}
}
else{
require_once('attempt.log.class.php');
session_unset();
session_destroy();
header("location: loginfail.htm");
}
?>
kindly do the needful..awaiting for ur reply guys..
jaoudestudios
DevNet Resident
Posts: 1483 Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey
Post
by jaoudestudios » Sat Sep 20, 2008 2:47 pm
MD5 is not a secure encryption method!!! It might have been 15 years ago.
Dont know why you have this ...
Code: Select all
if($rows2["password"] == $password && $rows2["username"] == $username )
As no results will return if the above condition is not satisfied as you have it in your SQL query.
Why do you do mysql_real_escape_string on the $username twice? There is no need, the second time you have used it in the mysql query is sufficient.
Try using trim on $username & $password and when you register too. As your data in your database might have spaces at the beginning or end and this could cause a problem.
pavanpuligandla
Forum Contributor
Posts: 130 Joined: Thu Feb 07, 2008 8:25 am
Location: Hyderabad, India
Post
by pavanpuligandla » Sat Sep 20, 2008 2:52 pm
Hiii..
That line is to match the entered password with that of password field of table..(if i omit tht condition then i'm getting error i mean the second else is getting executed even though i enter rite credentials.)
and no there are no spaces i'm sure..
pavanpuligandla
Forum Contributor
Posts: 130 Joined: Thu Feb 07, 2008 8:25 am
Location: Hyderabad, India
Post
by pavanpuligandla » Sat Sep 20, 2008 3:16 pm
hii..
can anyone suggest me the new way of protecting my passwords..
i'll be thankful if any one can provide me any working script for those methods ..
Many Thanks,
Pavan.P
jaoudestudios
DevNet Resident
Posts: 1483 Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey
Post
by jaoudestudios » Sat Sep 20, 2008 6:03 pm
It is an old method and using ECB, but simple for beginners.
I will read the link you have provided.
Thanks
jaoudestudios
DevNet Resident
Posts: 1483 Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey
Post
by jaoudestudios » Sat Sep 20, 2008 6:09 pm
Great article!
Goes into a lot of detail on encryption.
Thanks
pavanpuligandla
Forum Contributor
Posts: 130 Joined: Thu Feb 07, 2008 8:25 am
Location: Hyderabad, India
Post
by pavanpuligandla » Sun Sep 21, 2008 12:11 am
thnx for ur reply boss..
can you provide me any working code for that..i'm trying of my own using hash functions..
many thnx,
pavan.p
arjan.top
Forum Contributor
Posts: 305 Joined: Sun Oct 14, 2007 4:36 am
Location: Hoče, Slovenia
Post
by arjan.top » Sun Sep 21, 2008 4:11 am
jaoudestudios wrote: It is an old method and using ECB, but simple for beginners.
I will read the link you have provided.
Thanks
two-way encryption for passwords is wrong
pavanpuligandla
Forum Contributor
Posts: 130 Joined: Thu Feb 07, 2008 8:25 am
Location: Hyderabad, India
Post
by pavanpuligandla » Sun Sep 21, 2008 8:06 am
@ arjan.top,
can u post the source for encrypting passwords..
many thnx,
pavan.p
Mordred
DevNet Resident
Posts: 1579 Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria
Post
by Mordred » Sun Sep 21, 2008 10:47 am
1. Post the registration code, maybe you're not MD5-ing it the same way? Read the article already linked for details on hashing and salting. Print the values from the database and the ones coming from the form, so you can compare them "visually"
2. SQL injection on $_POST['password']
pavanpuligandla
Forum Contributor
Posts: 130 Joined: Thu Feb 07, 2008 8:25 am
Location: Hyderabad, India
Post
by pavanpuligandla » Sun Sep 21, 2008 1:38 pm
@ mordred.
Username Password Insertion to the table:
Code: Select all
<?PHP
//Connect to mysql server
$link=mysql_connect("localhost","root","");
if(!$link) {
die('Failed to connect to server: ' . mysql_error());
}
//Select database
$db=mysql_select_db("tge");
if(!$db) {
die("Unable to select database");
}
$username = $_POST["username"];
$password = $_POST['password'];
$encrypt = sha1($password);
$sql = "INSERT INTO login (username, password) VALUES ('".$username."', '".$encrypt."')";
mysql_query($sql)or die(mysql_error());
echo $sql;
?>
here i'm using sha1,, and while i try to retrieve it during login,, i'm getting error.. below is my logincheck.php code..
Code: Select all
<?php
//Connect to mysql server
$link=mysql_connect("localhost","root","");
if(!$link) {
die('Failed to connect to server: ' . mysql_error());
}
//Select database
$db=mysql_select_db("tge");
if(!$db) {
die("Unable to select database");
}
$username = $_POST["username"];
$password = $_POST['password'];
$encrypt = sha1($password);
$query="SELECT * FROM login WHERE username='" . mysql_real_escape_string($username) . "' AND password='". mysql_real_escape_string ($encrypt). "'";
//require_once('attempt.log.class.php');
$result=mysql_query($query);
$rows2=mysql_fetch_array($result);
if($rows2["password"] == $encrypt && $rows2["username"] == $username )
{
if(mysql_num_rows($result)>0)
{
//Login Successful
session_start();
$start=time();
$_SESSION['time_start']=$start;
$_SESSION['username']=$username;
$_SESSION['password']=$encrypt;
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
session_register('username');
session_register('password');
session_register('time_start');
session_regenerate_id();
session_write_close();
include "session.php";
include "scsession.php";
include("class_session.inc.php");
header("Location: redirect.php");
exit();
}
else {
//Login failed
require_once('attempt.log.class.php');
session_unset();
session_destroy();
header("location: loginfail.htm");
exit();
}
}
else{
require_once('attempt.log.class.php');
session_unset();
session_destroy();
header("location: loginfail.htm");
}
?>
please help me out boss..
many thnx,
pavan.p
pavanpuligandla
Forum Contributor
Posts: 130 Joined: Thu Feb 07, 2008 8:25 am
Location: Hyderabad, India
Post
by pavanpuligandla » Sun Sep 21, 2008 2:29 pm
hii mordred,
i've printed the password...actually in my database i set password field's size 15, but after sha1 'ing the password, my table is storing only 15 characters out of 40..so i'm getting mismatch of passwords and now i changed my password field to 40 i'm not getting any errors..
but why is it creating 40 char length string only??
any how thnx mordred for ur valuable suggestions..awaiting for ur reply of my query.
string stored in table : 8f283033e9f9f92 (15)
string printed : 8f283033e9f9f92e5d84f48263e1d344fdd4339e (40)