PHP Security
Page 1 of 3 123 LastLast
Results 1 to 10 of 29

Thread: PHP Security

  1. #1
    Banned
    Join Date
    Apr 2003
    Posts
    51

    PHP Security

    would using a password protection thing such as this work?

    <?
    if ($pass != "mypassword") {
    print('Invalid Password');
    die;
    }
    ?>

  2. #2
    Senior Member
    Join Date
    Feb 2003
    Posts
    282
    It will work but if your asking weather it is secure is a difernt story.

    This realy depends where $pass is getting its value from and weather global variables are turned on or off. In a typical login system sessions are used to keep track of logged in users. This enables transparent transportation of user name and password from one page to another.

    The problem mainly is with global variables.

    http://www.domain.com/members/index.php?pass=blah


  3. #3
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Globals being on or not doesn't really matter in this situation, unless the password matches the script dies, the source of the password doesn't change this fact, actually it is likely that Bob wishes $pass to be directly received from the user input anyhow.

    This system is likely sufficiently secure for basic uses Bob, the things that don't make it secure are the following:

    Password is included in the source (if the source is compromised so is everything it protects)
    Lack of granularity over access controls (I deally you want to limit down to single subjects to single objects, in this case we have many subjects to most likely mny objects)
    Lack of authentication propigation (users can share passwords)

    These are all more advanced issues, which I am guessing are beyond the scope of your needs, I have only presented them in case you had a desire to learn beyond your current needs.

    catch

  4. #4
    er0k
    Guest
    mergh..

    Programming PHP by Rasmus Waldorf and Kevin Tatroe, chapter 12.

  5. #5
    Banned
    Join Date
    Apr 2003
    Posts
    51
    I am trying to make it pretty secure, i know the way i just did is pretty simple, but i would like a pretty decent system that would keep out

    unwanted users of my script. I have been looking into PHP Sessions so i got the following script so far...


    index.php
    PHP Code:
    <?php
    session_start
    (); 
    session_register('pass'); 
    session_register('user'); 

    ?> 
    <html> 
    <body> 
    <form method="POST" action="main.php"><font size="2" face="arial">
    Username: <input type="text" name="user" size="20">

     
    Password: <input type="password" name="pass" size="20">

     
    <input type="submit" name="submit" value="  Log In  "> 
    </form> 
    </body> 
    </html>
    then, main.php...
    PHP Code:
    <?php 
    session_start
    (); 
    //header("Cache-control: private");

    $_SESSION['pass']=$_POST['pass']; 
    $_SESSION['user']=$_POST['user']; 

    $_SESSION['password']='admin';
    $_SESSION['username']='admin';


    if (
    $_SESSION['user'] != $_SESSION['username'] || $_SESSION['pass'] != $_SESSION['password']) { 
    ?>
    <html> 
    <body> 

    <form method="POST" action="main.php"><font size="2" face="arial">
    <font color=red>Login Invalid: Please Re-enter</font>

    Username: <input type="text" name="user" size="20">

     
    Password: <input type="password" name="pass" size="20">

     
    <input type="submit" name="submit" value="  Log In  "> 
    </form> 
    </body> 
    </html> 

    <?php
    die; 

    ?> 
    Whatever
    and so each each page will have that coding above "whatever" witout registering the pass and username.

    Now, catch, i am fairly new to php, so what do u mean by limiting down to single subjects to single objects. Also, how would i fix it so the password isn't in the coding? Thanks for the help

  6. #6
    er0k
    Guest

  7. #7
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    another good idea might be to use a HASH for the password...

    I like MD5 but SHA1 is very popular as well, although I really don't know the difference in strength...

    anyway

    PHP Code:
    <?php
    $input 
    $whatever_input_you_want;

    if (
    md5($input) === '1f3870be274f6c49b3e31a0c6728957f') {
        echo 
    "w00t, Access Granted!";
        
    #Do Stuff...
    }
    ?>
    yeah, I\'m gonna need that by friday...

  8. #8
    Banned
    Join Date
    Apr 2003
    Posts
    51
    ok, a little clarification...is $input the password? and what does 1f3870be274f6c49b3e31a0c6728957f do? thanks

  9. #9
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123
    One thing you should add is
    $pass = htmlspecialchars($pass);
    $user = htmlspecialchars($user);

    This will take the form input and strip any html code from it. You wouldn't want anyone entering

    '?> echo '$_session['username']' <php


    into the password or username field. For better protection you should also create a SQL database and store all the user and pass information in there and use the password('password') function to encrypt the password at the database level. This will keep your passwords and usernames from being in the script itself. If you have any questions about the php feel free to email me at cmarsh@planetmaddness.com

    xmad

  10. #10
    Senior Member
    Join Date
    Mar 2003
    Posts
    452
    Originally posted here by xmaddness You wouldn't want anyone entering

    '?> echo '$_session['username']' <php

    xmad [/B]
    Would that only be bad if you use the variable $_session ? I'm assuming, if you don't use it, then you don't have anything to worry about, am I right?


    --PuRe
    Like this post? Visit PuRe\'s Information Technology Community. We\'ve also got some kick ass Technology Forums. Shop for books and dvds on LiveWebShop.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •