943,740 Members | Top Members by Rank

Web Development > PHP > How to secure my web
Ad:
  • PHP Discussion Thread
  • Unsolved
  • Views: 1565
  • PHP RSS
You are currently viewing page 2 of this multi-page discussion thread; Jump to the first page
Permalink
Aug 19th, 2009
0

Re: How to secure my web

Interesting thread ....

Does this work as well?

PHP Syntax (Toggle Plain Text)
  1.  
  2.     $a_user=$_POST['login_username'];
  3.     $a_password=sha1($_POST['login_password']);
  4.  
  5.     // set up SQL statement
  6.     $query = sprintf("SELECT	*
  7. 				FROM	admin_auth
  8. 				WHERE	a_user = '%s'
  9. 				AND		a_pass = '%s'",
  10. 				mysql_real_escape_string($a_user),
  11. 				mysql_real_escape_string($a_password));
Reputation Points: 10
Solved Threads: 0
Light Poster
Besherek is offline Offline
36 posts
since May 2008
Permalink
Aug 19th, 2009
0

Re: How to secure my web

Sometimes i have feelingz may be something is wrong with the server i`m hosting my website.
How do you guys think??
Reputation Points: 17
Solved Threads: 8
Posting Whiz in Training
mrcniceguy is offline Offline
278 posts
since Mar 2008
Permalink
Aug 19th, 2009
0

Re: How to secure my web

Well, it doesn't appear anything is wrong. (I do agree, you should use mysql_real_escape_string() in your registration script too). I must say, it is a huge security flaw to save passwords and other sensitive data in a SESSION variable. It would be much better if you have each user a unique key that changed every few minutes and stored that in a SESSION variable instead of the password. Since you code looks fine to me, what errors/problems are you seeing with this script?
Reputation Points: 47
Solved Threads: 47
Posting Whiz
FlashCreations is offline Offline
393 posts
since Sep 2008
Permalink
Aug 19th, 2009
0

Re: How to secure my web

the error i`m seeing in this script is
php Syntax (Toggle Plain Text)
  1. }else{
  2. include"wronglogin.php";//the wrong login
  3.  }
i also added in mysql_real_escape_string() in the registration and it gave me one error. see my registration code below
php Syntax (Toggle Plain Text)
  1. <?php
  2. $name=$_POST['name'];
  3. $user=$_POST['user'];
  4. $email=$_POST['email'];
  5. $country=$_POST['country'];
  6. $passreal=$_POST['password2'];
  7. $password=md5($_POST['password']);
  8. $password2=md5($_POST['password2']);
  9. $location=$_POST['location'];
  10. $family=$_POST['family'];
  11. $names="$name $family";
  12. $age=$_POST['age'];
  13. $gender=$_POST['gender'];
  14. $relation=$_POST['relation'];
  15. $agree=$_POST['agree'];
  16. //check if username contains space
  17. if(false !== strpos($user, ' '))
  18. {    echo '<font color=brown>Sorry, the username should not contain any spaces.</font></br>';
  19. echo"you can use the underscore (_) to separate</br> or the minus (-) sign.</br>";
  20.      echo"<center><a href=sinup.php> < < BACK </a></center>";
  21. exit();
  22. }
  23. //check if username is greater than 25 character 
  24. 	if (strlen($user)>20)
  25. {
  26. echo "<font color=brown>Length of username is too long!</font></br>";
  27. echo"it should not be longer than 20 characters<br>";
  28.  echo"<center><a href=sinup.php> < < BACK </a></center>";
  29. exit();
  30. }
  31. //check if email is valid
  32. function isEmail($email) {
  33. return preg_match('/^[-0-9A-Z_\.]{1,50}@([-0-9A-Z_\.]+\.){1,50}([0-9A-Z]){2,4}$/i', $email);
  34. }
  35. $err = '';
  36. if ( !isEmail($_POST['email']) ) $err .= '<font color=brown>Your Email address must be valid!<br/><a href=sinup.php> < < BACK </a> </font>';
  37.  
  38. if ($err){ echo $err;
  39. exit();
  40.  
  41. }
  42. //check if all datas where posted.
  43. if(!$name||!$password||!$family||!$country||!$user||!$email||!$location||!$relation||!$password2||!$gender||!$age){
  44.  echo "<center><b><font color=blue size=>Fill all the required Fields.</font></b><br>";
  45.  echo "<font color=blue >Go back and complete<br><a href=sinup.php><< BACK </a></font><br></center>";
  46.   exit();
  47. 	  }
  48.  
  49. 	  if($password!=$password2){
  50. 	  echo"<center><font color=brown>Password You gave does Not match</font></center>";
  51. 	  echo"<center><form action=sinup.php method=post><input type=submit value='OKEY'></form></center>";
  52. 	  exit();
  53. 	  }
  54.  
  55. if(!$agree){
  56. echo"<font color=brown>you must agree the term of service to register</font>";
  57. exit();
  58. }	  
  59. ///connecting to databases
  60. include"config.php";
  61.  
  62.   $check=mysql_query("SELECT user FROM login WHERE user='$user'");
  63.   $rows=mysql_num_rows($check);
  64.   if($rows==0){
  65.         //$query="INSERT INTO login(name,family,male,female,user,email,country,password) VALUES('$name','$family','$male','$female','$user','$email','$country','$password')";
  66.  
  67. 	   $query="INSERT INTO login SET name='$names',age='$age',location='$location',passreal='$passreal',relation='$relation',gender='$gender',user='$user',email='$email',country='$country',password='$password',date=CURDATE()";
  68.         $prove="INSERT INTO profile SET names='$names',ages='$age',locations='$location',passreal='$passreal',relations='$relation',genders='$gender',users='$user',emails='$email',countrys='$country',passwords='$password',online='offline',dates=CURDATE()";     
  69. 		$result=mysql_query($query,$dbcnx);
  70. 		$result1=mysql_query($prove,$dbcnx);
  71. 			if($result||$result1){
  72. echo"You registered successfully";
  73. }
  74. ?>
After adding mysql_real_escape_string() the error comes in
php Syntax (Toggle Plain Text)
  1. //check if all datas where posted.
  2. if(!$name||!$password||!$family||!$country||!$user||!$email||!$location||!$relation||!$password2||!$gender||!$age){
  3.  echo "<center><b><font color=blue size=>Fill all the required Fields.</font></b><br>";
  4.  echo "<font color=blue >Go back and complete<br><a href=sinup.php><< BACK </a></font><br></center>";
  5.   exit();
  6. 	  }
which shows like i escaped some inputs.
Reputation Points: 17
Solved Threads: 8
Posting Whiz in Training
mrcniceguy is offline Offline
278 posts
since Mar 2008
Permalink
Aug 19th, 2009
0

Re: How to secure my web

I don't think you understand where you are supposed to escape the string. The function should be used right before the variable is inserted into the database. This was if a user didn't fill out a field, they won't have to wait for the escaping of all the variables before they are validated (It could save a few milliseconds, but probably won't matter that much). Where you are getting the error, I would use:
PHP Syntax (Toggle Plain Text)
  1. if(empty($name)||empty($password)||empty($family)||empty($country)||empty($user)||empty($email)||empty($location)||empty($relation)||empty($password2)||empty($gender)||empty($age)){
Last edited by FlashCreations; Aug 19th, 2009 at 6:53 pm.
Reputation Points: 47
Solved Threads: 47
Posting Whiz
FlashCreations is offline Offline
393 posts
since Sep 2008
Permalink
Aug 19th, 2009
0

Re: How to secure my web

ok i will try it.
i`ll inform you.
Reputation Points: 17
Solved Threads: 8
Posting Whiz in Training
mrcniceguy is offline Offline
278 posts
since Mar 2008
Permalink
Aug 21st, 2009
0

Re: How to secure my web

hey guys!i came out with the solution..
the problem was with the Database connection.This function mysql_real_escape_string requires a database connection .
in my code i were establing the connection after the POST[].
Thankx all for Contribution.
Reputation Points: 17
Solved Threads: 8
Posting Whiz in Training
mrcniceguy is offline Offline
278 posts
since Mar 2008
Permalink
Aug 21st, 2009
0

Re: How to secure my web

@FlashCreations You talked about giving each user a unique key which will be changing every time.
how is it possible??
Reputation Points: 17
Solved Threads: 8
Posting Whiz in Training
mrcniceguy is offline Offline
278 posts
since Mar 2008
Permalink
Aug 21st, 2009
0

Re: How to secure my web

Well for the users table in your MySQL database add a new column called session id. When the user logs in, create a long random string (unique key) to save as a cookie on the user's computer and in the user's row in the MySQL database (You would put it in the column you created for the unique keys). Then on every page where you authenticate the user, add code to create a new random string (unique key) and change the key in the cookie and the database to the new one you just created. This way you won't need to store a password in a cookie. You will only need to store the username and the unique key as a cookie on the user's computer (and add a column to your users table for the keys). To authenticate, check the username and the unique key and then regenerate the unique key.
Last edited by FlashCreations; Aug 21st, 2009 at 5:39 pm.
Reputation Points: 47
Solved Threads: 47
Posting Whiz
FlashCreations is offline Offline
393 posts
since Sep 2008
Permalink
Aug 22nd, 2009
0

Re: How to secure my web

how is it possible that someone was able to insert Javascript in the database while i used mysql_real_escape_string
php Syntax (Toggle Plain Text)
  1. <script>alert('helloo my friend')</script>
HOW CAN I AVOID THIS ISSUE??
my current code is
php Syntax (Toggle Plain Text)
  1. $comment=mysql_real_escape_string($_POST['comment']);
I NEED YOUR HELP THIS ISSUE OF SQL INJECTION.
Reputation Points: 17
Solved Threads: 8
Posting Whiz in Training
mrcniceguy is offline Offline
278 posts
since Mar 2008

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Message:
Previous Thread in PHP Forum Timeline: PhoneBook Script [Project]
Next Thread in PHP Forum Timeline: Images made from Blob are Cut Off





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC