PHP Security

[BobDoleX]

would using a password protection thing such as this work?

<?
if ($pass != "mypassword") {
print('Invalid Password');
die;
}
?>

[journy101]

It will work but if your asking weather it is secure is a difernt story.

This realy depends where $pass is getting its value from and weather global variables are turned on or off. In a typical login system sessions are used to keep track of logged in users. This enables transparent transportation of user name and password from one page to another.

The problem mainly is with global variables.

http://www.domain.com/members/index.php?pass=blah

[catch]

Globals being on or not doesn't really matter in this situation, unless the password matches the script dies, the source of the password doesn't change this fact, actually it is likely that Bob wishes $pass to be directly received from the user input anyhow.

This system is likely sufficiently secure for basic uses Bob, the things that don't make it secure are the following:

Password is included in the source (if the source is compromised so is everything it protects)
Lack of granularity over access controls (I deally you want to limit down to single subjects to single objects, in this case we have many subjects to most likely mny objects)
Lack of authentication propigation (users can share passwords)

These are all more advanced issues, which I am guessing are beyond the scope of your needs, I have only presented them in case you had a desire to learn beyond your current needs.

catch

[er0k]

mergh..

Programming PHP by Rasmus Waldorf and Kevin Tatroe, chapter 12.

[BobDoleX]

I am trying to make it pretty secure, i know the way i just did is pretty simple, but i would like a pretty decent system that would keep out

unwanted users of my script. I have been looking into PHP Sessions so i got the following script so far...


index.php

PHP Code:

<?php
session_start(); 
session_register('pass'); 
session_register('user'); 

?> 
<html> 
<body> 
<form method="POST" action="main.php"><font size="2" face="arial">
Username: <input type="text" name="user" size="20">

 
Password: <input type="password" name="pass" size="20">

 
<input type="submit" name="submit" value="  Log In  "> 
</form> 
</body> 
</html>

then, main.php...

PHP Code:

<?php 
session_start(); 
//header("Cache-control: private");

$_SESSION['pass']=$_POST['pass']; 
$_SESSION['user']=$_POST['user']; 

$_SESSION['password']='admin';
$_SESSION['username']='admin';


if ($_SESSION['user'] != $_SESSION['username'] || $_SESSION['pass'] != $_SESSION['password']) { 
?>
<html> 
<body> 

<form method="POST" action="main.php"><font size="2" face="arial">
<font color=red>Login Invalid: Please Re-enter</font>

Username: <input type="text" name="user" size="20">

 
Password: <input type="password" name="pass" size="20">

 
<input type="submit" name="submit" value="  Log In  "> 
</form> 
</body> 
</html> 

<?php
die; 
} 
?> 
Whatever

and so each each page will have that coding above "whatever" witout registering the pass and username.

Now, catch, i am fairly new to php, so what do u mean by limiting down to single subjects to single objects. Also, how would i fix it so the password isn't in the coding? Thanks for the help

[er0k]

www.pastebin.com

[tampabay420]

another good idea might be to use a HASH for the password...

I like MD5 but SHA1 is very popular as well, although I really don't know the difference in strength...

anyway

PHP Code:

<?php
$input = $whatever_input_you_want;

if (md5($input) === '1f3870be274f6c49b3e31a0c6728957f') {
    echo "w00t, Access Granted!";
    #Do Stuff...
}
?>

[BobDoleX]

ok, a little clarification...is $input the password? and what does 1f3870be274f6c49b3e31a0c6728957f do? thanks

[xmaddness]

One thing you should add is
$pass = htmlspecialchars($pass);
$user = htmlspecialchars($user);

This will take the form input and strip any html code from it. You wouldn't want anyone entering

'?> echo '$_session['username']' <php


into the password or username field. For better protection you should also create a SQL database and store all the user and pass information in there and use the password('password') function to encrypt the password at the database level. This will keep your passwords and usernames from being in the script itself. If you have any questions about the php feel free to email me at cmarsh@planetmaddness.com

xmad

[PuReExcTacy]

Originally posted here by xmaddness You wouldn't want anyone entering

'?> echo '$_session['username']' <php

xmad [/B]

Would that only be bad if you use the variable $_session ? I'm assuming, if you don't use it, then you don't have anything to worry about, am I right?


--PuRe