Hi there.

I'm looking to create a site in the near future that will have a login system. What I'd like to know is:

1.) What different types of attacks are there against websites besides brute force attacks (been reading this thread on brute force attacks: http://www.daniweb.com/forums/thread82966.html&highlight=login+security)

2.) Are there any links/suggestions to combat the attack mentioned by you or any user posting in this thread

SQL Injection is probably your biggest threat with logins since it's pretty simple to defeat brute force attacks with lockout.

addslashes() only goes so far, the same goes for magic_quotes_gpc

Edited 3 Years Ago by happygeek: fixed formatting

SQL Injection is probably your biggest threat with logins since it's pretty simple to defeat brute force attacks with lockout. addslashes() only goes so far, the same goes for magic_quotes_gpc

Could you explain a bit more about SQL injection?

EDIT: I just found a link to SQL injection

Edited 3 Years Ago by happygeek: fixed formatting

If you have a query which you interact with the database such as

SELECT * FROM users WHERE username = 'blah' and password = 'blahblah'

(I have a unhashed password for example purposes)
This would translate into PHP has

$query = "SELECT * FROM users where username = '".$_POST['username']."' AND password = '".$_POST['password']."'";

Which is about as simple as it comes. But, what happens if you don't escape quotes?

Username: bob' OR 1=1 --
We now have the following query

SELECT * FROM users WHERE username = 'bob' OR 1=1 -- this is a comment

Which of course gives the user access no matter what.

If you have a query which you interact with the database such as

SELECT * FROM users WHERE username = 'blah' and password = 'blahblah'

(I have a unhashed password for example purposes)
This would translate into PHP has

$query = "SELECT * FROM users where username = '".$_POST['username']."' AND password = '".$_POST['password']."'";

Which is about as simple as it comes. But, what happens if you don't escape quotes?

Username: bob' OR 1=1 --
We now have the following query

SELECT * FROM users WHERE username = 'bob' OR 1=1 -- this is a comment

Which of course gives the user access no matter what.

I'm not sure i understand this completely.

If you had

$query = "SELECT * FROM users where username = '".$_POST['username']."' AND password = '".$_POST['password']."'";

why not just have it without th inverted commas like this:

$query = "SELECT * FROM users where username = '$_POST['username']' AND password = '$_POST['password']'";

The syntax is irrelevant, if you don't "clean" your inputs then injection will happen, it's an unfortunate inevitability.

The syntax is irrelevant, if you don't "clean" your inputs then injection will happen, it's an unfortunate inevitability.

Ok, so basically I want to get rid of any apostrophes or exclamation marks before executing my SQL query? And you say even that isn't fool proof?

This is from the link I posted earlier above (http://en.wikipedia.org/wiki/SQL_injection):

PreparedStatement prep = conn.prepareStatement("SELECT * FROM USERS WHERE PASSWORD=?");
prep.setString(1, pwd);

The code(java) above apparently helps prevent SQL injection. Is there anything like this I could use in php?

1.) What different types of attacks are there against websites besides brute force attacks (been reading this thread on brute force attacks: http://www.daniweb.com/forums/thread82966.html&highlight=login+security)

You've also got to watch out for scripts that get uploaded to your server and give someone remote access to your file system, db, etc (like this shell script).

Basically, a hacker can write up a script like CPanel or DirectAdmin that gives them control of a lot of stuff - and add in functions that break passwords and what not to give them unlimited access.

An easy way for these things to end up on your server is if you allow users to upload files without taking some precautions. A couple things you could do to help prevent it are - limit uploads to certain file extensions (i.e. doc file extensions or image extensions) or tell Apache not to execute any php in the /uploads directory.

- Walkere

You've also got to watch out for scripts that get uploaded to your server and give someone remote access to your file system, db, etc (like this shell script).

Basically, a hacker can write up a script like CPanel or DirectAdmin that gives them control of a lot of stuff - and add in functions that break passwords and what not to give them unlimited access.

An easy way for these things to end up on your server is if you allow users to upload files without taking some precautions. A couple things you could do to help prevent it are - limit uploads to certain file extensions (i.e. doc file extensions or image extensions) or tell Apache not to execute any php in the /uploads directory.

- Walkere

I have an upload function that checks extensions to make sure they're only jpg, jpeg, gif or png. Is it possible for someone to upload a file such as "attackscript.exe.jpg" and have the script change the filename to "attackscript.exe"? A quick thought about it tells me no but in the world of programming a lot of things are possible.

This article has been dead for over six months. Start a new discussion instead.