How to facilitate login?
This is a discussion on How to facilitate login? within the alt.comp.lang.php forums, part of the PHP Programming Forums category; I'm a bit of newbie at this one... I have a MySQL database with users and passwords. How do ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-31-2005
|
|||
|
|||
Re: How to facilitate login?
http://www.devshed.com/c/a/PHP/Creat...-Login-Script/
is a start... hth, John "Michael" <no-one@anywhere.at.all> wrote in message news:IoqdnVN2Boic2tHfRVn-vg@is.co.za... > I'm a bit of newbie at this one... > > I have a MySQL database with users and passwords. > > How do I create logon mechanism? The forms part is easy, but I'm in the > dark about sessions and how to process the logon. > > Thanks > Michael > > > 
|
|
04-01-2005
|
|||
|
|||
|
Re: How to facilitate login?
"Tex John" <john@logontexas.com> wrote in message
news:6hZ2e.14821$1H3.14027@tornado.texas.rr.com... > http://www.devshed.com/c/a/PHP/Creat...-Login-Script/ > > is a start... > > hth, > John Grr, top post! breeeath.... ah, never mind. I've just quickly looked through that article and have something to add for a secure login script. Martin suggested using the following query to check a login: $sql = "SELECT * FROM member WHERE " . "username = $username AND " . "password = $password"; However, that's vulnerable to SQL injection, the following method is much more restrictive to injection attacks. $sql = "SELECT * FROM member WHERE username=$username" $row = fetch_array...... if ($row["password"] == $_GET['password']){ login ok. } Why is it more secure? Well, first off, they only have one variable to inject into (ok, not much of a help) but even IF they did something like "SELECT .... WHERE username=' ' or username like '%'" they would STILL have to know a valid password for the PHP comparison. Not totally bomb proof bit a bit more secure than the above version. Cheers, Treefrog
|
|
04-01-2005
|
|||
|
|||
|
Re: How to facilitate login?
Treefrog wrote:
> "Tex John" <john@logontexas.com> wrote in message > news:6hZ2e.14821$1H3.14027@tornado.texas.rr.com... > >>http://www.devshed.com/c/a/PHP/Creat...-Login-Script/ >> >>is a start... >> >>hth, >>John > > > Grr, top post! breeeath.... ah, never mind. > > I've just quickly looked through that article and have something to add for > a secure login script. > > Martin suggested using the following query to check a login: > $sql = "SELECT * FROM member WHERE " . > "username = $username AND " . > "password = $password"; > > However, that's vulnerable to SQL injection, the following method is much > more restrictive to injection attacks. > > $sql = "SELECT * FROM member WHERE username=$username" > $row = fetch_array...... > > if ($row["password"] == $_GET['password']){ > login ok. > } > > Why is it more secure? It's not. > Well, first off, they only have one variable to inject into (ok, not much of > a help) but even IF they did something like "SELECT .... WHERE username=' ' > or username like '%'" Well you could just use mysql_real_escape_string(), and this wouldn't be a problem at all... > they would STILL have to know a valid password for the PHP comparison. Not > totally bomb proof bit a bit more secure than the above version. > Also, you shouldn't store unencrypted in your database. You should hash them using md5() (or sha1()) before storing them, and then compare against the md5() (or sha1()) of the user input. -- Oli
|
|
04-01-2005
|
|||
|
|||
|
Re: How to facilitate login?
On Fri, 01 Apr 2005 17:04:02 GMT, Oli Filth <catch@olifilth.co.uk> wrote:
>Treefrog wrote: >> "Tex John" <john@logontexas.com> wrote in message >> news:6hZ2e.14821$1H3.14027@tornado.texas.rr.com... >> >>>http://www.devshed.com/c/a/PHP/Creat...-Login-Script/ >>> >>>is a start... >>> >>>hth, >>>John >> >> >> Grr, top post! breeeath.... ah, never mind. >> >> I've just quickly looked through that article and have something to add for >> a secure login script. >> >> Martin suggested using the following query to check a login: >> $sql = "SELECT * FROM member WHERE " . >> "username = $username AND " . >> "password = $password"; >> >> However, that's vulnerable to SQL injection, the following method is much >> more restrictive to injection attacks. >> >> $sql = "SELECT * FROM member WHERE username=$username" >> $row = fetch_array...... >> >> if ($row["password"] == $_GET['password']){ >> login ok. >> } >> >> Why is it more secure? > >It's not. > >> Well, first off, they only have one variable to inject into (ok, not much of >> a help) but even IF they did something like "SELECT .... WHERE username=' ' >> or username like '%'" > >Well you could just use mysql_real_escape_string(), and this wouldn't be >a problem at all... > >> they would STILL have to know a valid password for the PHP comparison. Not >> totally bomb proof bit a bit more secure than the above version. >> > >Also, you shouldn't store unencrypted in your database. You should hash >them using md5() (or sha1()) before storing them, and then compare >against the md5() (or sha1()) of the user input. This is what I use - is it best practice? <? $TableName="auth_users"; $Query="SELECT * FROM $TableName WHERE username=\"$username\" and password=password(\"$password\")"; $Result=mysql_db_query ($DBName, $Query, $Link); $num=mysql_num_rows($Result); if ($num==0) { header("location: logon.php"); exit(); } else { session_start(); session_register('valid'); $valid="yes"; } and the start of the header file included in all the other files being - <? session_start(); if ($valid =="results") { header( "Location: onwards_into_the_files" ); } if ($valid !=="yes") { header( "Location: logon.php" ); exit(); } ------------------------------------------------------------ This post did not necessarily reflect my opinions. So there. Pull the pins out to reply direct.
|
|
04-01-2005
|
|||
|
|||
|
Re: How to facilitate login?
Fat Bloke wrote:
> This is what I use - is it best practice? Very much not so. > <? > $TableName="auth_users"; > $Query="SELECT * FROM $TableName WHERE username=\"$username\" and > password=password(\"$password\")"; 1. I'm assuming you're using $username and $password as the user's input, which means that you have register_globals set to On, which is a high security risk. See http://www.php.net/register_globals for why this is a Bad Thing. 2. Your passwords aren't encrypted in the database. 3. You aren't validating the contents of $username and $password, so you are vulnerable to SQL injection. Use mysql_real_escape_string(). See http://www.php.net/mysql_real_escape_string. 4. You have no check to ensure that $username and $password actually exist. What if the user has typed in the URL of the log-in page directly without using a form? > $Result=mysql_db_query ($DBName, $Query, $Link); > $num=mysql_num_rows($Result); > if ($num==0) > { > header("location: logon.php"); > exit(); > } > else > { > session_start(); > session_register('valid'); > $valid="yes"; > } It is highly recommended that you use $_SESSION instead of session_register() et al. Mainly because of the register_globals thing. Think about it, now someone can just go to one of your pages with "?valid=yes" appended to the URL, and the script will assume they're logged in. > > and the start of the header file included in all the other files being - > <? > session_start(); > if ($valid =="results") > { > header( "Location: onwards_into_the_files" ); > } > if ($valid !=="yes") > { > header( "Location: logon.php" ); > exit(); > } > -- Oli
|
|
04-02-2005
|
|||
|
|||
|
Re: How to facilitate login?
[snip]
>It is highly recommended that you use $_SESSION instead of >session_register() et al. Mainly because of the register_globals thing. >Think about it, now someone can just go to one of your pages with >"?valid=yes" appended to the URL, and the script will assume they're >logged in. [snip] Ok, thanx. ------------------------------------------------------------ This post did not necessarily reflect my opinions. So there. Pull the pins out to reply direct.
|
Linear Mode
