dcsimg
Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 29

Thread: PHP Security

  1. #11
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    a hash is a one way encryption method that allows for safe/secure verification of passwords/data...

    that strange string you saw earlier was the hash of the password. MD5 is pretty strong (as far as i know) and the only attack method that i know is brute force (that's if they even have the hash).
    yeah, I\'m gonna need that by friday...

  2. #12
    Banned
    Join Date
    Apr 2003
    Posts
    51
    well i was planning on using sessions also, this is kinda the code i have in mind now...

    index.php...
    PHP Code:
    <?php
    session_start
    (); 

    ?> 


    <form method="POST" action="main.php"><font size="2" face="arial">
    Username: <input type="text" name="user" size="20">

     
    Password: <input type="password" name="pass" size="20">

     
    <input type="submit" name="submit" value="  Log In  "> 
    </form>
    then in main.php...
    PHP Code:

    <?php 
    session_start
    (); 

    include(
    'pwlist.php');

    $pass htmlspecialchars($_POST['pass']); 
    $user htmlspecialchars($_POST['user']); 

    $_SESSION['pass']=$pass
    $_SESSION['user']=$user

    $_SESSION['username'] = 'admin';
    $_SESSION['password'] = 'admin';



    if (
    md5($username) === $_SESSION['user'] && md5($password) === $_SESSION['pass']) { 

        print 
    "Access Granted";



    else {

        print 
    "Access Denied";
    }
    and the password and username is in pwlist.php...
    PHP Code:

    $username
    ='admin';
    $password='admin'
    If using sessions isn't smart, what other ways can I do this? (i'm trying to have a login page and when you login, there'll be links that can only be accessed if you're logged in) Is the way i suggested safe? I don't want any people to exploit stuff in the coding. Now also, someone said if anyone gets the source code, then the script's password can be got at, but how can the password stuff be discovered without actually having the script, and not just viewing it through the browser. Thanks

  3. #13
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123
    This is what I use for a login script for all my authentication systems. Its pretty simple and uses a database to authenticate.



    PHP Code:
    <?php
    session_start
    ();
    include(
    'compconfig.php');  //database user info




    if (isset($HTTP_POST_VARS['userid']) && isset($HTTP_POST_VARS['password']))
    {
      
    // if the user has just tried to log in
      
    $userid $HTTP_POST_VARS['userid'];
      
    $password $HTTP_POST_VARS['password'];
      
    addslashes($userid);
      
    addslashes($password);
      
    htmlspecialchars($userid);
      
    htmlspecialchars($password);

      
    $sql mysql_connect($dbhost$dbuser$dbpasswd);
     
      
    mysql_select_db($dbname$sql);


      
    $query 'select * from auth '
               
    ."where username='$userid' "
               
    ." and password=password('$password')";
      
    $result mysql_query($query$sql);
      
    $num_rows mysql_num_rows($result);
      if (
    $num_rows >)
      {
        
    // if they are in the database register the user id for the session
        
    $HTTP_SESSION_VARS['valid_user'] = $userid;    
      }
    }
    ?>
    <html>
    <body>
    <h1>Home page</h1>
    <? 
      
    if (isset($HTTP_SESSION_VARS['valid_user']))
      {
        echo 
    'You are logged in as: '.$HTTP_SESSION_VARS['valid_user'].
    '
    ;
        echo 
    '[url="logout.php"]Log out[/url]
    '
    ;
      }
      else
      {
        if (isset(
    $userid))
        {
          
    // if they've tried and failed to log in
          
    echo 'Could not log you in';
        }
        else 
        {
          
    // they have not tried to log in yet or have logged out
          
    echo 'You are not logged in.
    '
    ;
        }


        
    // provide form to log in 
        
    echo '<form method="post" action="authmain.php">';
        echo 
    '<table>';
        echo 
    '<tr><td>Userid:</td>';
        echo 
    '<td><input type="text" name="userid"></td></tr>';
        echo 
    '<tr><td>Password:</td>';
        echo 
    '<td><input type="password" name="password"></td></tr>';
        echo 
    '<tr><td colspan="2" align="center">';
        echo 
    '<input type="submit" value="Log in"></td></tr>';
        echo 
    '</table></form>';
      }
    ?>


    [url="members_only.php"]Members section[/url]
    </body>
    </html>

  4. #14
    Junior Member
    Join Date
    May 2003
    Posts
    2
    here is the code i wrote for security on my servers.

    <?php
    #########################################################
    #
    #Server Session authorization page/script
    #
    #This script will allow 3 successive attempts to log
    #into the page, and will ban access from that PC after that.
    #
    #########################################################

    session_start();
    $_SESSION['visits']++;
    $v= ($visit= $_SESSION['visits']);
    $vr= substr(strrev($visit),0,1);
    if ($vr==0) $visit .='th';
    if ($vr==1) $visit .='st';
    if ($vr==2) $visit .='nd';
    if ($vr==3) $visit .='rd';
    if (($vr>=4)&& ($vr<=9)) $visit .='th';
    $ip=getenv("REMOTE_ADDR");

    ########################################################
    #
    #
    # set the below variables accordungly
    #
    #
    #########################################################


    $users=array( 'user1' => 'password1',
    'user2' => 'password2',
    'user3' => 'password3',
    'user4' => 'password4');

    $domain="http://www.yourdomain.com";



    function main();
    {
    ##########################################################
    #
    #place the rest of your page here. In further pages,
    #you can just check the status of the created session
    #variable and force users to this page if the session is invalid.
    #
    ##########################################################





    }




    #########################################################
    #
    #
    # Leave the rest of the code alone
    #
    #
    #
    #########################################################


    if ($v >=5)
    {
    echo '
    <style>

    body {background: #557; color: white; margin: 0; padding: 0;}
    div {border: 1px solid #335;}
    h1, div {background: #d99 url(images/Astronaut.jpg) center no-repeat fixed; color: black;}
    p {margin: 1em 0; padding: 0;}
    span.leader {font-style: italic;}
    span.note {font-style: italic; font-size: 12;}
    span.info {font-style: normal; font-size: 14; color:red; font-weight: normal;}
    span.label {font: italic 1em Arial, sans-serif; letter-spacing: 1px;}

    h1, h3, h4 {font-family: Arial, sans-serif; font-style: italic; font-weight: normal; margin: 0; text-transform: lowercase;}
    h1 {letter-spacing: 0.75em; color: red; padding: 0.25em 0.33em 0.125em; border-bottom: 5px double #557; border-top: 3px double #CCF;}
    h3 {font-weight: bold; color: #113;}
    h4 {font-weight: bold; letter-spacing: 0.5em; padding: 0.33em 0.5em 0.167em; border-top: 1px solid #335; border-bottom: 1px solid #557; background: #77A; color: #533;}


    div#note p {margin: 0; padding: 0.66em; font-size: 80%; font-family: sans-serif; line-height: 1.33; color: #335;}
    div#sidebar div#credits a {padding: 0.33em 0.66em 0.167em 0.66em; letter-spacing: 0; font-weight: normal; text-align: left; font-size: 90%;}

    div#main {position: absolute; top: 3em; left: 10%; width: 80%; margin: 1em; padding: 1em 1.5em;}
    div#main h3 {letter-spacing: 3px; margin: 1.25em 0 0;}
    div#main h3#top {margin-top: 0;}
    div#main p {margin: 0.25em 0 1em; line-height: 1.25em;}

    small {letter-spacing: 0; font-size: 85%;}

    div.NN4 {display: none;}

    </style>


    <div id="main">
    <h1 id="top"><span>Please Leave this Server</span></h3>



    <span class="leader">Why Am I Still Here?</span>
    You are attempting to access an unauthorized page or resource. Your '.$v.' attempts and IP Address:
    '.$ip.' have been logged and the system administrator has been notified. Any further attempts
    will be considered actionable as attempts to illegally gain access to this system.</p>

    ';
    exit;

    }




    if (! pc_validate($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']))
    {
    header('www-Authenticate: Basic realm="Restricted Zone Server. Your IP is:'.$ip.' Authorized Users Only"');
    header('HTTP/1.0 401 Unauthorized');
    echo '
    <style>

    body {background: #557; color: white; margin: 0; padding: 0;}
    div {border: 1px solid #335;}
    h1, div {background: #99C url(images/Astronaut.jpg) center no-repeat fixed; color: black;}
    p {margin: 1em 0; padding: 0;}
    span.leader {font-style: italic;}
    span.note {font-style: italic; font-size: 12;}
    span.info {font-style: normal; font-size: 14; color:red; font-weight: normal;}
    span.label {font: italic 1em Arial, sans-serif; letter-spacing: 1px;}

    h1, h3, h4 {font-family: Arial, sans-serif; font-style: italic; font-weight: normal; margin: 0; text-transform: lowercase;}
    h1 {letter-spacing: 0.75em; color: #446; padding: 0.25em 0.33em 0.125em; border-bottom: 5px double #557; border-top: 3px double #CCF;}
    h3 {font-weight: bold; color: #113;}
    h4 {font-weight: bold; letter-spacing: 0.5em; padding: 0.33em 0.5em 0.167em; border-top: 1px solid #335; border-bottom: 1px solid #557; background: #77A; color: #335;}


    div#note p {margin: 0; padding: 0.66em; font-size: 80%; font-family: sans-serif; line-height: 1.33; color: #335;}
    div#sidebar div#credits a {padding: 0.33em 0.66em 0.167em 0.66em; letter-spacing: 0; font-weight: normal; text-align: left; font-size: 90%;}

    div#main {position: absolute; top: 3em; left: 10%; width: 80%; margin: 1em; padding: 1em 1.5em;}
    div#main h3 {letter-spacing: 3px; margin: 1.25em 0 0;}
    div#main h3#top {margin-top: 0;}
    div#main p {margin: 0.25em 0 1em; line-height: 1.25em;}

    small {letter-spacing: 0; font-size: 85%;}

    div.NN4 {display: none;}

    </style>



    <div id="main">
    <h1 id="top"><span>Welcome to the Brownwood Server</span></h3>



    <span class="leader">Where Am I?</span>
    You are attempting to access a restricted zone server. This Server is for authorized personell only.</p>


    <span class="note">
    (Note, your login should be the same as your network login, Please contact your Team Leader

    if you are not able to log in)</span> </p>

    ';


    $ip = getenv("REMOTE_ADDR");
    echo "<span class=\"info\"> <center>All traffic is logged. You are visiting from remote ip: $ip";
    echo " and this is your $visit visit</center>
    </span>";

    if ($v >=4)
    {
    echo "<span class=\"info\"> <center>Please Desist, the Network Administrator has been automatically notified of your repeated attempts to access this server";
    }


    echo substr(md5(date("ymd")),0,6);
    exit;

    }


    function pc_validate($user,$pass)
    {
    global $users;


    if (isset($users[$user])&&($users[$user] == $pass))
    {

    $_SESSION['visits']=-1;
    echo '
    <style>

    body {background: #557; color: white; margin: 0; padding: 0;}
    div {border: 1px solid #335;}
    h1, div {background: #99C url(images/Astronaut.jpg) center no-repeat fixed; color: black;}
    p {margin: 1em 0; padding: 0;}
    span.leader {font-style: italic;}
    span.note {font-style: italic; font-size: 12;}
    span.info {font-style: normal; font-size: 14; color:red; font-weight: normal;}
    span.label {font: italic 1em Arial, sans-serif; letter-spacing: 1px;}
    button { height:18pt; font:8pt; padding:0 0 0 0; border-width:1 1 1 1; font-family:sans-serif; }
    *.buRed { width: 60px; height: 20pt;background: #feeeee; border-color: Red ; color: Red ; font: 10pt;}
    *.buBlue { width: 60px; height: 20pt;background: #eeeefe; border-color: Blue ; color: Navy ; font: 10pt;}
    input { height: 13pt ; font: 7pt; border-width: 1 1 2 1;background:#eeeefe;}

    h1, h3, h4 {font-family: Arial, sans-serif; font-style: italic; font-weight: normal; margin: 0; text-transform: lowercase;}
    h1 {letter-spacing: 0.75em; color: #446; padding: 0.25em 0.33em 0.125em; border-bottom: 5px double #557; border-top: 3px double #CCF;}
    h3 {font-weight: bold; color: #113;}
    h4 {font-weight: bold; letter-spacing: 0.5em; padding: 0.33em 0.5em 0.167em; border-top: 1px solid #335; border-bottom: 1px solid #557; background: #77A; color: #335;}


    div#note p {margin: 0; padding: 0.66em; font-size: 80%; font-family: sans-serif; line-height: 1.33; color: #335;}
    div#sidebar div#credits a {padding: 0.33em 0.66em 0.167em 0.66em; letter-spacing: 0; font-weight: normal; text-align: left; font-size: 90%;}

    div#main {position: absolute; top: 3em; left: 10%; width: 80%; margin: 1em; padding: 1em 1.5em;}
    div#main h3 {letter-spacing: 3px; margin: 1.25em 0 0;}
    div#main h3#top {margin-top: 0;}
    div#main p {margin: 0.25em 0 1em; line-height: 1.25em;}

    small {letter-spacing: 0; font-size: 85%;}

    div.NN4 {display: none;}

    </style>';

    main();
    }





    ?>

  5. #15
    Banned
    Join Date
    Apr 2003
    Posts
    51
    well i could give the MySQL a try, but i have a few questions. What is in 'compconfig.php', How would i add/delete members, and lastly, how would i do this for multiple pages that i want to link that can only be accessed when you're logged in.

    And, Fatherstorm, i think your way of doing stuff is a little too compliated for me o.0 lol but thanks anyway

  6. #16
    Junior Member
    Join Date
    May 2003
    Posts
    2
    As far as your other pages. All you have to do is check to see if the Session Variable has been set. if not, then write a redirect to the login page.

  7. #17
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123
    PHP Code:
    <?php


    //This file will include all the information that pertains to your database
    //This information is kept in a seperate file so that you can just change one file, and all your
    //database information is changed in the rest of the php files. just name this compconfig.pfp
    //and do an include('compconfig.php'); at the top of any php files that access the database


    $dbhost 'localhost';              //put your host here, if your running the database put localhost
    $dbname 'auth';                //databse name goes here
    $dbuser 'john';                    //databse user login here
    $dbpasswd 'abc123';          //database password here

    ?>

    Pretty simple eh?




    To add users I did this script.


    PHP Code:
    ?php
    session_start
    ();
    include(
    'compconfig.php');


    //add short form variables
    $username $_POST['username'];
    $email $_POST['email'];
    $password1 $_POST['password1'];
    $password2 $_POST['password2'];


    //make sure the user didn't put in a huge string as a joke
    if(strlen($username)> 10)
    {
            echo 
    'Please limit your username to only 10 characters.';
            exit;
    }
    if(
    strlen($email)> 40)
    {
            echo 
    'Please limit your email size to only 40 characters.';
            exit;
    }
    if(
    strlen($password1)> 30)
    {
            echo 
    'Please limit your password size to only 30 characters.';
            exit;
    }


    //trim the whitespace around the entry
    $username trim($username);
    $email trim($email);
    $password1 trim($password1);
    $password2 trim($password2);

    //prevent any type of html characters or hacking attempts to be processed.

    $username htmlspecialchars($username);
    $email htmlspecialchars($email);
    $password1 htmlspecialchars($password1);
    $password2 htmlspecialchars($password2);


    //did they enter a name?
    if (!$username)
    {
        echo 
    'You forgot to enter a username!';
        echo 
    '
     [url="register.html"]Go Back[/url]'
    ;
        exit;

    //did they enter an email?
    if (!$email)
    {    
        echo 
    'You forgot to enter an email address!';
        echo 
    '
     [url="register.html"]Go Back[/url]'
    ;
        exit;
    }
    //did they enter the passwords?
    if (!$password1 || !$password2)
    {
        echo 
    'You forgot to enter the passwords';
        echo 
    '
     [url="register.html"]Go Back[/url]'
    ;
        exit;
    }
    //do the passwords match?
    if ($password1 != $password2)
    {
        echo 
    'Your passwords do not match!';
        echo 
    '
     [url="register.html"]Go Back[/url]'
    ;
        exit;
    }

    //They are ready to register, so now we make the data safe for the database by adding escape characters

    $username addslashes($username);
    $email addslashes($email);
    $password1 addslashes($password1);
    $password2 addslashes($password2);



    //Check to see if the user name is already in the database
      
    $sql mysql_connect($dbhost$dbuser$dbpasswd);
     
      
    mysql_select_db($dbname$sql);

      
    $query 'select * from auth '
               
    ."where username='$username' ";
      
    $result mysql_query($query$sql);
      
      if(!
    $result)
      {
          echo 
    'The database is not available at this time.';
        echo 
    '
     Please try your query at another time.
    Error = 1'
    ;
        exit;
      }
      
      
    $num_rows mysql_num_rows($result);
      if (
    $num_rows >)
      {
              echo 
    'Sorry, but the username '.stripslashes($username).' is already taken.';
            echo 
    '
    Please choose another username.'
    ;
            echo 
    '
     [url="register.html"]Go Back[/url]'
    ;
            exit;
      }
     
    //test to see if the e-mail is already in the system, this prevents double registration 
       
     
      
    mysql_select_db($dbname$sql);

      
    $query4 'select * from auth '
               
    ."where email='$email' ";
      
    $result4 mysql_query($query4$sql);
      
      if(!
    $result4)
      {
          echo 
    'The database is not available at this time.';
        echo 
    '
     Please try your query at another time.
    Error = 4'
    ;
        exit;
      }
      
      
    $num_rows4 mysql_num_rows($result4);
      if (
    $num_rows4 >)
      {
              echo 
    'Sorry, but the email address '.stripslashes($email).' is already registered.';
            echo 
    '
    Please choose another email address.'
    ;
            echo 
    '
     [url="register.html"]Go Back[/url]'
    ;
            exit;
      }
     
     
     
    //If all goes well, register the user.
     
     
     
      
    $query2 'insert into auth values '
                  
    ."( '', '$username', password('$password1'), '$email', 'no', 'no' )"
      
    $result2 mysql_query($query2$sql);
      
      if(!
    $result2)
      {
          echo 
    'The database is not available at this time.';
        echo 
    '
     Please try your query at another time.
    Error = 2'
    ;
        exit;
      }
      
      
    $query3 'select * from auth '
                  
    ."where username='$username' ";
      
    $result3 mysql_query($query$sql);
      
      if(!
    $result3)
      {
          echo 
    'The database is not available at this time.';
        echo 
    '
     Please try your query at another time.
    Error = 3'
    ;
        exit;
      }
      
      
    $num_rows2 mysql_num_rows($result3);
      if (
    $num_rows2 >)
      {
          echo 
    "Thank you for registering ".stripslashes($username)."!";
        echo 
    "
    You may now <a href = 'authmain.php'>login</a>."
    ;
    }


      
                


    ?> 

    Simply either add a register.html form and have it refer to this script, or just add the form in there somewhere. You can test this script by going to

    http://www.planetmaddness.com/comp/register.html

    xmad

  8. #18
    Banned
    Join Date
    Apr 2003
    Posts
    51
    i think i almost got it, but i have a few more quetsions. I'm not too familier with the "tables"thing in mySQL so i have phpMyAdmin. What do i put in the table name and amount of fields area? Also, what would i put in the other areas in MyAdmin? Thanks

  9. #19
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123
    IN my admin put the following code in a sql query.






    create table auth (
    userid int unsigned not null auto_increment primary key,
    username varchar(10) not null,
    password varchar(30) not null,
    email varchar(40) not null,
    activation varchar(3) not null,
    admin varchar(3) default 'no' not null

    );

    insert into auth values
    ( '1', 'user', 'pass', 'test@planetmaddness.com', 'yes', 'no');

    insert into auth values
    ( '', 'testuser', password('test123'), 'testuser@planetmaddness.com', 'yes', 'no' );





    grant select, insert, update, delete
    on auth.*
    to databaseusernamehere
    identified by 'databasepasshere';

    This will insert the table headings and prepare the database for use. It will also insert two example users.


    xmadd

  10. #20
    Banned
    Join Date
    Apr 2003
    Posts
    51
    ok, i have a few more problems. It seems that I cant login. Now, i'm connecting to the database, but i am not sure if i set the table up right or anything, and
    myPHPadmin did give me an error message when i tried to set it up, but it still showed the table and stuff, so i'm not sure if there's anything wrong with it. I just get "Could not Log you in"

    Does this have to do with the password('$password')"; part and what does the password() thing do?

    Anwyay, i really appresiate all the help, and thanks for bearing with me o.0

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •