Page 1 of 1

Titening the lid on a form (username / password)...

Posted: Fri Jan 02, 2009 9:45 am
by Wolf_22
Below is my code:

Code: Select all

<div class="form">
    <h2><span><?php echo $form_title['Login'] ?></span></h2>
    <div class="form">
        <form id="login" method="post" action="login.php?action=n" onsubmit="return process_form(this)">
            <div class="in_form">
                <fieldset>
                    <legend><?php echo $form_title['Login legend'] ?></legend>
                        <div class="infldset">
                            <input type="hidden" name="form_sent" value="1" />
                            <input type="hidden" name="redirect_url" value="<?php echo $redirect_url ?>" />
                            <label class="conl"><strong><?php echo $form_title['Username'] ?></strong><br /><input type="text" name="username" size="25" maxlength="25" tabindex="1" /><br /></label>
                            <label class="conl"><strong><?php echo $form_title['Password'] ?></strong><br /><input type="password" name="password" size="16" maxlength="16" tabindex="2" /><br /></label>
                            <p class="clearb"><?php echo $form_title['Login info'] ?></p>
                            <p><a href="register.php" tabindex="4"><?php echo $form_title['Not registered'] ?></a>&nbsp;&nbsp;
                            <a href="login.php?action=f" tabindex="5"><?php echo $form_title['Forgotten pass'] ?></a></p>
                        </div>
                </fieldset>
            </div>
            <p><input type="submit" name="login" value="<?php echo $form_title['Login'] ?>" tabindex="3" /></p>
        </form>
    </div>
</div>
To ensure quality security, what functions should I use to further secure the username and password that will be found in the $_POST variables? I need to make sure that PHP and MySQL terms are escaped, right? So in order to do this, I would need to use the "mysql_real_escape_string", but are there any other functions I should consider? I'm trying to logically sort this out in my head as I'm natively a designer and not a developer, but there are no excuses with any of this, right?

Any input on this will be appreciative. This is my first attempt at securing things! :)

Re: Titening the lid on a form (username / password)...

Posted: Sat Jan 03, 2009 2:50 pm
by kaisellgren
Wolf_22 wrote:Below is my code:

Code: Select all

<div class="form">
    <h2><span><?php echo $form_title['Login'] ?></span></h2>
    <div class="form">
        <form id="login" method="post" action="login.php?action=n" onsubmit="return process_form(this)">
            <div class="in_form">
                <fieldset>
                    <legend><?php echo $form_title['Login legend'] ?></legend>
                        <div class="infldset">
                            <input type="hidden" name="form_sent" value="1" />
                            <input type="hidden" name="redirect_url" value="<?php echo $redirect_url ?>" />
                            <label class="conl"><strong><?php echo $form_title['Username'] ?></strong><br /><input type="text" name="username" size="25" maxlength="25" tabindex="1" /><br /></label>
                            <label class="conl"><strong><?php echo $form_title['Password'] ?></strong><br /><input type="password" name="password" size="16" maxlength="16" tabindex="2" /><br /></label>
                            <p class="clearb"><?php echo $form_title['Login info'] ?></p>
                            <p><a href="register.php" tabindex="4"><?php echo $form_title['Not registered'] ?></a>&nbsp;&nbsp;
                            <a href="login.php?action=f" tabindex="5"><?php echo $form_title['Forgotten pass'] ?></a></p>
                        </div>
                </fieldset>
            </div>
            <p><input type="submit" name="login" value="<?php echo $form_title['Login'] ?>" tabindex="3" /></p>
        </form>
    </div>
</div>
To ensure quality security, what functions should I use to further secure the username and password that will be found in the $_POST variables? I need to make sure that PHP and MySQL terms are escaped, right? So in order to do this, I would need to use the "mysql_real_escape_string", but are there any other functions I should consider? I'm trying to logically sort this out in my head as I'm natively a designer and not a developer, but there are no excuses with any of this, right?

Any input on this will be appreciative. This is my first attempt at securing things! :)
If the data goes into a database then yes you have to escape at minimum. However, the way you are echoing those $_POST values directly to your form is vulnerable to XSS.

Re: Titening the lid on a form (username / password)...

Posted: Sat Jan 03, 2009 5:09 pm
by Wolf_22
I know this would be a pain to explain, but if you could elaborate, I would really appreciate it.

What would be a better way to fix this? I'm very new to this, so the entire XSS aspect is something that I would need clarification on.

Should I have the values be submitted to another page where sanitation is then done?

Re: Titening the lid on a form (username / password)...

Posted: Sat Jan 03, 2009 5:20 pm
by kaisellgren
Wolf_22 wrote:I know this would be a pain to explain, but if you could elaborate, I would really appreciate it.

What would be a better way to fix this? I'm very new to this, so the entire XSS aspect is something that I would need clarification on.

Should I have the values be submitted to another page where sanitation is then done?
Hmm hold on. Where does those values come from? If they are predefined by you then you are safe.

When I first time looked at it, I thought you output a submitted username into username field, etc. That would have been vulnerable to XSS for sure, but since you seem to use predefined variables there is no issue.

Re: Titening the lid on a form (username / password)...

Posted: Sat Jan 03, 2009 5:27 pm
by Wolf_22
kaisellgren, you just made my heart skip. HAHA.

While we're on the subject, though, you did invoke me to review something in a book I have about similar things. I was reading about XSS and it stated that if you can run the java script snippet below, you will be vulnerable:

Code: Select all

<script>alert('You are vulnerable to XSS.')</script>
If I use that snippet in my form inputs and an alert window pops-up, is this a sure-fire way to test for XSS?

What's your take on this? By the way, thanks again for the info above. Whether I wasn't vulnerable or not, you just added a wrinkle to my brain. :)


...I think I see, now, what you're talking about. You're referring to that "action" line, right?

Re: Titening the lid on a form (username / password)...

Posted: Sat Jan 03, 2009 5:41 pm
by kaisellgren
Wolf_22 wrote:kaisellgren, you just made my heart skip. HAHA.

While we're on the subject, though, you did invoke me to review something in a book I have about similar things. I was reading about XSS and it stated that if you can run the java script snippet below, you will be vulnerable:

Code: Select all

<script>alert('You are vulnerable to XSS.')</script>
If I use that snippet in my form inputs and an alert window pops-up, is this a sure-fire way to test for XSS?

What's your take on this? By the way, thanks again for the info above. Whether I wasn't vulnerable or not, you just added a wrinkle to my brain. :)


...I think I see, now, what you're talking about. You're referring to that "action" line, right?
If you are able to get that message displayed through user submitted data (may it be GET, POST, COOKIES, anything...), then your site is vulnerable to XSS. However, if the message is not displayed, that does not mean you are safe. There are lots of ways to achieve XSS attacks. XSS happens when user's submited data is displayed (outputted). If you just want to show the text as is, use htmlspecialchars() for the data and you are safe from XSS. However, if you need to allow certain HTML like italic, bold, etc while disallow XSS attacks, that will be a lot harder.

HTML Purifier is an easy tool that I suggest for people who have no sufficient experience in further protecting from XSS.

Re: Titening the lid on a form (username / password)...

Posted: Sat Jan 03, 2009 7:50 pm
by Wolf_22
Thanks Kai. I'll look at that application you suggested and try to figure it out. If you wouldn't mind, though, would you explain to me what some other approaches would be in achieving XSS? I found this site that seems to be decently explanatory in regards to this malicious attack: http://www.cgisecurity.com/xss-faq.html ...Is that site any good?

I need to get my PHP security book out!

I think I'm getting a good sense of what to be looking out for now with your input, so I gotta keep it coming! :)

Re: Titening the lid on a form (username / password)...

Posted: Sun Jan 04, 2009 8:09 am
by kaisellgren
Wolf_22 wrote:Thanks Kai. I'll look at that application you suggested and try to figure it out. If you wouldn't mind, though, would you explain to me what some other approaches would be in achieving XSS? I found this site that seems to be decently explanatory in regards to this malicious attack: http://www.cgisecurity.com/xss-faq.html ...Is that site any good?

I need to get my PHP security book out!

I think I'm getting a good sense of what to be looking out for now with your input, so I gotta keep it coming! :)
I did not read the entire site, but what I looked at all seemed to be correct information.