DaniWeb Forum Index > Web Development > PHP

How to secure my web

Please support our PHP advertiser: PostgreSQL or MySQL? Compare and contrast the two most popular open source databases

•

Join Date: May 2008

Posts: 23

Reputation: Besherek is an unknown quantity at this point

Solved Threads: 0

Besherek

Offline

Newbie Poster

Re: How to secure my web

#11

Aug 19th, 2009

Interesting thread ....

Does this work as well?

 Help with Code Tags 
 PHP Syntax (Toggle Plain Text) 
 
    $a_user=$_POST['login_username'];
    $a_password=sha1($_POST['login_password']);
 
    // set up SQL statement
    $query = sprintf("SELECT	*
				FROM	admin_auth
				WHERE	a_user = '%s'
				AND		a_pass = '%s'",
				mysql_real_escape_string($a_user),
				mysql_real_escape_string($a_password));
    $a_user=$_POST['login_username'];
    $a_password=sha1($_POST['login_password']);

    // set up SQL statement
    $query = sprintf("SELECT	*
				FROM	admin_auth
				WHERE	a_user = '%s'
				AND		a_pass = '%s'",
				mysql_real_escape_string($a_user),
				mysql_real_escape_string($a_password));

Besherek Design

•

Join Date: Mar 2008

Posts: 217

Reputation: mrcniceguy is an unknown quantity at this point

Solved Threads: 4

mrcniceguy mrcniceguy is offline

Offline

Posting Whiz in Training

Re: How to secure my web

#12

Aug 19th, 2009

Sometimes i have feelingz may be something is wrong with the server i`m hosting my website.
How do you guys think??

•

Join Date: Sep 2008

Posts: 197

Reputation: FlashCreations is an unknown quantity at this point

Solved Threads: 17

FlashCreations FlashCreations is offline

Offline

Junior Poster

Re: How to secure my web

#13

Aug 19th, 2009

Well, it doesn't appear anything is wrong. (I do agree, you should use mysql_real_escape_string() in your registration script too). I must say, it is a huge security flaw to save passwords and other sensitive data in a SESSION variable. It would be much better if you have each user a unique key that changed every few minutes and stored that in a SESSION variable instead of the password. Since you code looks fine to me, what errors/problems are you seeing with this script?

FlashCreations
(aka PhpMyCoder)

About Me | My Blog | Contact Me

•

Join Date: Mar 2008

Posts: 217

Reputation: mrcniceguy is an unknown quantity at this point

Solved Threads: 4

mrcniceguy mrcniceguy is offline

Offline

Posting Whiz in Training

Re: How to secure my web

#14

Aug 19th, 2009

the error i`m seeing in this script is

 Help with Code Tags 
 php Syntax (Toggle Plain Text) 
}else{
include"wronglogin.php";//the wrong login
 }
}else{
include"wronglogin.php";//the wrong login
 }

i also added in mysql_real_escape_string() in the registration and it gave me one error. see my registration code below

 Help with Code Tags 
 php Syntax (Toggle Plain Text) 
<?php
$name=$_POST['name'];
$user=$_POST['user'];
$email=$_POST['email'];
$country=$_POST['country'];
$passreal=$_POST['password2'];
$password=md5($_POST['password']);
$password2=md5($_POST['password2']);
$location=$_POST['location'];
$family=$_POST['family'];
$names="$name $family";
$age=$_POST['age'];
$gender=$_POST['gender'];
$relation=$_POST['relation'];
$agree=$_POST['agree'];
//check if username contains space
if(false !== strpos($user, ' '))
{    echo '<font color=brown>Sorry, the username should not contain any spaces.</font></br>';
echo"you can use the underscore (_) to separate</br> or the minus (-) sign.</br>";
     echo"<center><a href=sinup.php> < < BACK </a></center>";
exit();
}
//check if username is greater than 25 character 
	if (strlen($user)>20)
{
echo "<font color=brown>Length of username is too long!</font></br>";
echo"it should not be longer than 20 characters<br>";
 echo"<center><a href=sinup.php> < < BACK </a></center>";
exit();
}
//check if email is valid
function isEmail($email) {
return preg_match('/^[-0-9A-Z_\.]{1,50}@([-0-9A-Z_\.]+\.){1,50}([0-9A-Z]){2,4}$/i', $email);
}
$err = '';
if ( !isEmail($_POST['email']) ) $err .= '<font color=brown>Your Email address must be valid!<br/><a href=sinup.php> < < BACK </a> </font>';
 
if ($err){ echo $err;
exit();
 
}
//check if all datas where posted.
if(!$name||!$password||!$family||!$country||!$user||!$email||!$location||!$relation||!$password2||!$gender||!$age){
 echo "<center><b><font color=blue size=>Fill all the required Fields.</font></b><br>";
 echo "<font color=blue >Go back and complete<br><a href=sinup.php><< BACK </a></font><br></center>";
  exit();
	  }
 
	  if($password!=$password2){
	  echo"<center><font color=brown>Password You gave does Not match</font></center>";
	  echo"<center><form action=sinup.php method=post><input type=submit value='OKEY'></form></center>";
	  exit();
	  }
 
if(!$agree){
echo"<font color=brown>you must agree the term of service to register</font>";
exit();
}	  
///connecting to databases
include"config.php";
 
  $check=mysql_query("SELECT user FROM login WHERE user='$user'");
  $rows=mysql_num_rows($check);
  if($rows==0){
        //$query="INSERT INTO login(name,family,male,female,user,email,country,password) VALUES('$name','$family','$male','$female','$user','$email','$country','$password')";
 
	   $query="INSERT INTO login SET name='$names',age='$age',location='$location',passreal='$passreal',relation='$relation',gender='$gender',user='$user',email='$email',country='$country',password='$password',date=CURDATE()";
        $prove="INSERT INTO profile SET names='$names',ages='$age',locations='$location',passreal='$passreal',relations='$relation',genders='$gender',users='$user',emails='$email',countrys='$country',passwords='$password',online='offline',dates=CURDATE()";     
		$result=mysql_query($query,$dbcnx);
		$result1=mysql_query($prove,$dbcnx);
			if($result||$result1){
echo"You registered successfully";
}
?>
<?php
$name=$_POST['name'];
$user=$_POST['user'];
$email=$_POST['email'];
$country=$_POST['country'];
$passreal=$_POST['password2'];
$password=md5($_POST['password']);
$password2=md5($_POST['password2']);
$location=$_POST['location'];
$family=$_POST['family'];
$names="$name $family";
$age=$_POST['age'];
$gender=$_POST['gender'];
$relation=$_POST['relation'];
$agree=$_POST['agree'];
//check if username contains space
if(false !== strpos($user, ' '))
{    echo '<font color=brown>Sorry, the username should not contain any spaces.</font></br>';
echo"you can use the underscore (_) to separate</br> or the minus (-) sign.</br>";
     echo"<center><a href=sinup.php> < < BACK </a></center>";
exit();
}
//check if username is greater than 25 character 
	if (strlen($user)>20)
{
echo "<font color=brown>Length of username is too long!</font></br>";
echo"it should not be longer than 20 characters<br>";
 echo"<center><a href=sinup.php> < < BACK </a></center>";
exit();
}
//check if email is valid
function isEmail($email) {
return preg_match('/^[-0-9A-Z_\.]{1,50}@([-0-9A-Z_\.]+\.){1,50}([0-9A-Z]){2,4}$/i', $email);
}
$err = '';
if ( !isEmail($_POST['email']) ) $err .= '<font color=brown>Your Email address must be valid!<br/><a href=sinup.php> < < BACK </a> </font>';

if ($err){ echo $err;
exit();

}
//check if all datas where posted.
if(!$name||!$password||!$family||!$country||!$user||!$email||!$location||!$relation||!$password2||!$gender||!$age){
 echo "<center><b><font color=blue size=>Fill all the required Fields.</font></b><br>";
 echo "<font color=blue >Go back and complete<br><a href=sinup.php><< BACK </a></font><br></center>";
  exit();
	  }
	  
	  if($password!=$password2){
	  echo"<center><font color=brown>Password You gave does Not match</font></center>";
	  echo"<center><form action=sinup.php method=post><input type=submit value='OKEY'></form></center>";
	  exit();
	  }
	  
if(!$agree){
echo"<font color=brown>you must agree the term of service to register</font>";
exit();
}	  
///connecting to databases
include"config.php";
	  
  $check=mysql_query("SELECT user FROM login WHERE user='$user'");
  $rows=mysql_num_rows($check);
  if($rows==0){
        //$query="INSERT INTO login(name,family,male,female,user,email,country,password) VALUES('$name','$family','$male','$female','$user','$email','$country','$password')";
  
	   $query="INSERT INTO login SET name='$names',age='$age',location='$location',passreal='$passreal',relation='$relation',gender='$gender',user='$user',email='$email',country='$country',password='$password',date=CURDATE()";
        $prove="INSERT INTO profile SET names='$names',ages='$age',locations='$location',passreal='$passreal',relations='$relation',genders='$gender',users='$user',emails='$email',countrys='$country',passwords='$password',online='offline',dates=CURDATE()";     
		$result=mysql_query($query,$dbcnx);
		$result1=mysql_query($prove,$dbcnx);
			if($result||$result1){
echo"You registered successfully";
}
?>

After adding mysql_real_escape_string() the error comes in

 Help with Code Tags 
 php Syntax (Toggle Plain Text) 
//check if all datas where posted.
if(!$name||!$password||!$family||!$country||!$user||!$email||!$location||!$relation||!$password2||!$gender||!$age){
 echo "<center><b><font color=blue size=>Fill all the required Fields.</font></b><br>";
 echo "<font color=blue >Go back and complete<br><a href=sinup.php><< BACK </a></font><br></center>";
  exit();
	  }
//check if all datas where posted.
if(!$name||!$password||!$family||!$country||!$user||!$email||!$location||!$relation||!$password2||!$gender||!$age){
 echo "<center><b><font color=blue size=>Fill all the required Fields.</font></b><br>";
 echo "<font color=blue >Go back and complete<br><a href=sinup.php><< BACK </a></font><br></center>";
  exit();
	  }

which shows like i escaped some inputs.

•

Join Date: Sep 2008

Posts: 197

Reputation: FlashCreations is an unknown quantity at this point

Solved Threads: 17

FlashCreations FlashCreations is offline

Offline

Junior Poster

Re: How to secure my web

#15

Aug 19th, 2009

I don't think you understand where you are supposed to escape the string. The function should be used right before the variable is inserted into the database. This was if a user didn't fill out a field, they won't have to wait for the escaping of all the variables before they are validated (It could save a few milliseconds, but probably won't matter that much). Where you are getting the error, I would use:

 Help with Code Tags 
 PHP Syntax (Toggle Plain Text) 
if(empty($name)||empty($password)||empty($family)||empty($country)||empty($user)||empty($email)||empty($location)||empty($relation)||empty($password2)||empty($gender)||empty($age)){
if(empty($name)||empty($password)||empty($family)||empty($country)||empty($user)||empty($email)||empty($location)||empty($relation)||empty($password2)||empty($gender)||empty($age)){

Last edited by FlashCreations; Aug 19th, 2009 at 6:53 pm.

FlashCreations
(aka PhpMyCoder)

About Me | My Blog | Contact Me

•

Join Date: Mar 2008

Posts: 217

Reputation: mrcniceguy is an unknown quantity at this point

Solved Threads: 4

mrcniceguy mrcniceguy is offline

Offline

Posting Whiz in Training

Re: How to secure my web

#16

Aug 19th, 2009

ok i will try it.
i`ll inform you.

•

Join Date: Mar 2008

Posts: 217

Reputation: mrcniceguy is an unknown quantity at this point

Solved Threads: 4

mrcniceguy mrcniceguy is offline

Offline

Posting Whiz in Training

Re: How to secure my web

#17

Aug 21st, 2009

hey guys!i came out with the solution..
the problem was with the Database connection.This function mysql_real_escape_string requires a database connection .
in my code i were establing the connection after the POST[].
Thankx all for Contribution.

•

Join Date: Mar 2008

Posts: 217

Reputation: mrcniceguy is an unknown quantity at this point

Solved Threads: 4

mrcniceguy mrcniceguy is offline

Offline

Posting Whiz in Training

Re: How to secure my web

#18

Aug 21st, 2009

@FlashCreations You talked about giving each user a unique key which will be changing every time.
how is it possible??

•

Join Date: Sep 2008

Posts: 197

Reputation: FlashCreations is an unknown quantity at this point

Solved Threads: 17

FlashCreations FlashCreations is offline

Offline

Junior Poster

Re: How to secure my web

#19

Aug 21st, 2009

Well for the users table in your MySQL database add a new column called session id. When the user logs in, create a long random string (unique key) to save as a cookie on the user's computer and in the user's row in the MySQL database (You would put it in the column you created for the unique keys). Then on every page where you authenticate the user, add code to create a new random string (unique key) and change the key in the cookie and the database to the new one you just created. This way you won't need to store a password in a cookie. You will only need to store the username and the unique key as a cookie on the user's computer (and add a column to your users table for the keys). To authenticate, check the username and the unique key and then regenerate the unique key.

Last edited by FlashCreations; Aug 21st, 2009 at 5:39 pm.

FlashCreations
(aka PhpMyCoder)

About Me | My Blog | Contact Me

•

Join Date: Mar 2008

Posts: 217

Reputation: mrcniceguy is an unknown quantity at this point

Solved Threads: 4

mrcniceguy mrcniceguy is offline

Offline

Posting Whiz in Training

Re: How to secure my web

#20

Aug 22nd, 2009

how is it possible that someone was able to insert Javascript in the database while i used mysql_real_escape_string

 Help with Code Tags 
 php Syntax (Toggle Plain Text) 
<script>alert('helloo my friend')</script>
<script>alert('helloo my friend')</script>

HOW CAN I AVOID THIS ISSUE??
my current code is

 Help with Code Tags 
 php Syntax (Toggle Plain Text) 
$comment=mysql_real_escape_string($_POST['comment']);
$comment=mysql_real_escape_string($_POST['comment']);

I NEED YOUR HELP THIS ISSUE OF SQL INJECTION.