PHP Security

a hash is a one way encryption method that allows for safe/secure verification of passwords/data...

that strange string you saw earlier was the hash of the password. MD5 is pretty strong (as far as i know) and the only attack method that i know is brute force (that's if they even have the hash).

well i was planning on using sessions also, this is kinda the code i have in mind now...

index.php...

PHP Code:

---

<?php
session_start(); 

?> 


<form method="POST" action="main.php"><font size="2" face="arial">
Username: <input type="text" name="user" size="20">

 
Password: <input type="password" name="pass" size="20">

 
<input type="submit" name="submit" value="  Log In  "> 
</form>

---

then in main.php...

PHP Code:

---


<?php 
session_start(); 

include('pwlist.php');

$pass = htmlspecialchars($_POST['pass']); 
$user = htmlspecialchars($_POST['user']); 

$_SESSION['pass']=$pass; 
$_SESSION['user']=$user; 

$_SESSION['username'] = 'admin';
$_SESSION['password'] = 'admin';



if (md5($username) === $_SESSION['user'] && md5($password) === $_SESSION['pass']) { 

    print "Access Granted";

} 

else {

    print "Access Denied";
}

---

and the password and username is in pwlist.php...

PHP Code:

---


$username='admin';
$password='admin'; 


---

If using sessions isn't smart, what other ways can I do this? (i'm trying to have a login page and when you login, there'll be links that can only be accessed if you're logged in) Is the way i suggested safe? I don't want any people to exploit stuff in the coding. Now also, someone said if anyone gets the source code, then the script's password can be got at, but how can the password stuff be discovered without actually having the script, and not just viewing it through the browser. Thanks

This is what I use for a login script for all my authentication systems. Its pretty simple and uses a database to authenticate.

PHP Code:

---

<?php
session_start();
include('compconfig.php');  //database user info




if (isset($HTTP_POST_VARS['userid']) && isset($HTTP_POST_VARS['password']))
{
  // if the user has just tried to log in
  $userid = $HTTP_POST_VARS['userid'];
  $password = $HTTP_POST_VARS['password'];
  addslashes($userid);
  addslashes($password);
  htmlspecialchars($userid);
  htmlspecialchars($password);

  $sql = mysql_connect($dbhost, $dbuser, $dbpasswd);
 
  mysql_select_db($dbname, $sql);


  $query = 'select * from auth '
           ."where username='$userid' "
           ." and password=password('$password')";
  $result = mysql_query($query, $sql);
  $num_rows = mysql_num_rows($result);
  if ($num_rows >0 )
  {
    // if they are in the database register the user id for the session
    $HTTP_SESSION_VARS['valid_user'] = $userid;    
  }
}
?>
<html>
<body>
<h1>Home page</h1>
<? 
  if (isset($HTTP_SESSION_VARS['valid_user']))
  {
    echo 'You are logged in as: '.$HTTP_SESSION_VARS['valid_user'].' 
';
    echo '[url="logout.php"]Log out[/url]
';
  }
  else
  {
    if (isset($userid))
    {
      // if they've tried and failed to log in
      echo 'Could not log you in';
    }
    else 
    {
      // they have not tried to log in yet or have logged out
      echo 'You are not logged in.
';
    }


    // provide form to log in 
    echo '<form method="post" action="authmain.php">';
    echo '<table>';
    echo '<tr><td>Userid:</td>';
    echo '<td><input type="text" name="userid"></td></tr>';
    echo '<tr><td>Password:</td>';
    echo '<td><input type="password" name="password"></td></tr>';
    echo '<tr><td colspan="2" align="center">';
    echo '<input type="submit" value="Log in"></td></tr>';
    echo '</table></form>';
  }
?>


[url="members_only.php"]Members section[/url]
</body>
</html>

---

here is the code i wrote for security on my servers.

<?php
#########################################################
#
#Server Session authorization page/script
#
#This script will allow 3 successive attempts to log
#into the page, and will ban access from that PC after that.
#
#########################################################

session_start();
$_SESSION['visits']++;
$v= ($visit= $_SESSION['visits']);
$vr= substr(strrev($visit),0,1);
if ($vr==0) $visit .='th';
if ($vr==1) $visit .='st';
if ($vr==2) $visit .='nd';
if ($vr==3) $visit .='rd';
if (($vr>=4)&& ($vr<=9)) $visit .='th';
$ip=getenv("REMOTE_ADDR");

########################################################
#
#
# set the below variables accordungly
#
#
#########################################################


$users=array( 'user1' => 'password1',
'user2' => 'password2',
'user3' => 'password3',
'user4' => 'password4');

$domain="http://www.yourdomain.com";



function main();
{
##########################################################
#
#place the rest of your page here. In further pages,
#you can just check the status of the created session
#variable and force users to this page if the session is invalid.
#
##########################################################





}




#########################################################
#
#
# Leave the rest of the code alone
#
#
#
#########################################################


if ($v >=5)
{
echo '
<style>

body {background: #557; color: white; margin: 0; padding: 0;}
div {border: 1px solid #335;}
h1, div {background: #d99 url(images/Astronaut.jpg) center no-repeat fixed; color: black;}
p {margin: 1em 0; padding: 0;}
span.leader {font-style: italic;}
span.note {font-style: italic; font-size: 12;}
span.info {font-style: normal; font-size: 14; color:red; font-weight: normal;}
span.label {font: italic 1em Arial, sans-serif; letter-spacing: 1px;}

h1, h3, h4 {font-family: Arial, sans-serif; font-style: italic; font-weight: normal; margin: 0; text-transform: lowercase;}
h1 {letter-spacing: 0.75em; color: red; padding: 0.25em 0.33em 0.125em; border-bottom: 5px double #557; border-top: 3px double #CCF;}
h3 {font-weight: bold; color: #113;}
h4 {font-weight: bold; letter-spacing: 0.5em; padding: 0.33em 0.5em 0.167em; border-top: 1px solid #335; border-bottom: 1px solid #557; background: #77A; color: #533;}


div#note p {margin: 0; padding: 0.66em; font-size: 80%; font-family: sans-serif; line-height: 1.33; color: #335;}
div#sidebar div#credits a {padding: 0.33em 0.66em 0.167em 0.66em; letter-spacing: 0; font-weight: normal; text-align: left; font-size: 90%;}

div#main {position: absolute; top: 3em; left: 10%; width: 80%; margin: 1em; padding: 1em 1.5em;}
div#main h3 {letter-spacing: 3px; margin: 1.25em 0 0;}
div#main h3#top {margin-top: 0;}
div#main p {margin: 0.25em 0 1em; line-height: 1.25em;}

small {letter-spacing: 0; font-size: 85%;}

div.NN4 {display: none;}

</style>


<div id="main">
<h1 id="top"><span>Please Leave this Server</span></h3>



<span class="leader">Why Am I Still Here?</span>
You are attempting to access an unauthorized page or resource. Your '.$v.' attempts and IP Address:
'.$ip.' have been logged and the system administrator has been notified. Any further attempts
will be considered actionable as attempts to illegally gain access to this system.</p>

';
exit;

}




if (! pc_validate($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']))
{
header('www-Authenticate: Basic realm="Restricted Zone Server. Your IP is:'.$ip.' Authorized Users Only"');
header('HTTP/1.0 401 Unauthorized');
echo '
<style>

body {background: #557; color: white; margin: 0; padding: 0;}
div {border: 1px solid #335;}
h1, div {background: #99C url(images/Astronaut.jpg) center no-repeat fixed; color: black;}
p {margin: 1em 0; padding: 0;}
span.leader {font-style: italic;}
span.note {font-style: italic; font-size: 12;}
span.info {font-style: normal; font-size: 14; color:red; font-weight: normal;}
span.label {font: italic 1em Arial, sans-serif; letter-spacing: 1px;}

h1, h3, h4 {font-family: Arial, sans-serif; font-style: italic; font-weight: normal; margin: 0; text-transform: lowercase;}
h1 {letter-spacing: 0.75em; color: #446; padding: 0.25em 0.33em 0.125em; border-bottom: 5px double #557; border-top: 3px double #CCF;}
h3 {font-weight: bold; color: #113;}
h4 {font-weight: bold; letter-spacing: 0.5em; padding: 0.33em 0.5em 0.167em; border-top: 1px solid #335; border-bottom: 1px solid #557; background: #77A; color: #335;}


div#note p {margin: 0; padding: 0.66em; font-size: 80%; font-family: sans-serif; line-height: 1.33; color: #335;}
div#sidebar div#credits a {padding: 0.33em 0.66em 0.167em 0.66em; letter-spacing: 0; font-weight: normal; text-align: left; font-size: 90%;}

div#main {position: absolute; top: 3em; left: 10%; width: 80%; margin: 1em; padding: 1em 1.5em;}
div#main h3 {letter-spacing: 3px; margin: 1.25em 0 0;}
div#main h3#top {margin-top: 0;}
div#main p {margin: 0.25em 0 1em; line-height: 1.25em;}

small {letter-spacing: 0; font-size: 85%;}

div.NN4 {display: none;}

</style>



<div id="main">
<h1 id="top"><span>Welcome to the Brownwood Server</span></h3>



<span class="leader">Where Am I?</span>
You are attempting to access a restricted zone server. This Server is for authorized personell only.</p>


<span class="note">
(Note, your login should be the same as your network login, Please contact your Team Leader

if you are not able to log in)</span> </p>

';


$ip = getenv("REMOTE_ADDR");
echo "<span class=\"info\"> <center>All traffic is logged. You are visiting from remote ip: $ip";
echo " and this is your $visit visit</center>
</span>";

if ($v >=4)
{
echo "<span class=\"info\"> <center>Please Desist, the Network Administrator has been automatically notified of your repeated attempts to access this server";
}


echo substr(md5(date("ymd")),0,6);
exit;

}


function pc_validate($user,$pass)
{
global $users;


if (isset($users[$user])&&($users[$user] == $pass))
{

$_SESSION['visits']=-1;
echo '
<style>

body {background: #557; color: white; margin: 0; padding: 0;}
div {border: 1px solid #335;}
h1, div {background: #99C url(images/Astronaut.jpg) center no-repeat fixed; color: black;}
p {margin: 1em 0; padding: 0;}
span.leader {font-style: italic;}
span.note {font-style: italic; font-size: 12;}
span.info {font-style: normal; font-size: 14; color:red; font-weight: normal;}
span.label {font: italic 1em Arial, sans-serif; letter-spacing: 1px;}
button { height:18pt; font:8pt; padding:0 0 0 0; border-width:1 1 1 1; font-family:sans-serif; }
*.buRed { width: 60px; height: 20pt;background: #feeeee; border-color: Red ; color: Red ; font: 10pt;}
*.buBlue { width: 60px; height: 20pt;background: #eeeefe; border-color: Blue ; color: Navy ; font: 10pt;}
input { height: 13pt ; font: 7pt; border-width: 1 1 2 1;background:#eeeefe;}

h1, h3, h4 {font-family: Arial, sans-serif; font-style: italic; font-weight: normal; margin: 0; text-transform: lowercase;}
h1 {letter-spacing: 0.75em; color: #446; padding: 0.25em 0.33em 0.125em; border-bottom: 5px double #557; border-top: 3px double #CCF;}
h3 {font-weight: bold; color: #113;}
h4 {font-weight: bold; letter-spacing: 0.5em; padding: 0.33em 0.5em 0.167em; border-top: 1px solid #335; border-bottom: 1px solid #557; background: #77A; color: #335;}


div#note p {margin: 0; padding: 0.66em; font-size: 80%; font-family: sans-serif; line-height: 1.33; color: #335;}
div#sidebar div#credits a {padding: 0.33em 0.66em 0.167em 0.66em; letter-spacing: 0; font-weight: normal; text-align: left; font-size: 90%;}

div#main {position: absolute; top: 3em; left: 10%; width: 80%; margin: 1em; padding: 1em 1.5em;}
div#main h3 {letter-spacing: 3px; margin: 1.25em 0 0;}
div#main h3#top {margin-top: 0;}
div#main p {margin: 0.25em 0 1em; line-height: 1.25em;}

small {letter-spacing: 0; font-size: 85%;}

div.NN4 {display: none;}

</style>';

main();
}





?>

well i could give the MySQL a try, but i have a few questions. What is in 'compconfig.php', How would i add/delete members, and lastly, how would i do this for multiple pages that i want to link that can only be accessed when you're logged in.

And, Fatherstorm, i think your way of doing stuff is a little too compliated for me o.0 lol but thanks anyway

As far as your other pages. All you have to do is check to see if the Session Variable has been set. if not, then write a redirect to the login page.

PHP Code:

---

<?php


//This file will include all the information that pertains to your database
//This information is kept in a seperate file so that you can just change one file, and all your
//database information is changed in the rest of the php files. just name this compconfig.pfp
//and do an include('compconfig.php'); at the top of any php files that access the database


$dbhost = 'localhost';              //put your host here, if your running the database put localhost
$dbname = 'auth';                //databse name goes here
$dbuser = 'john';                    //databse user login here
$dbpasswd = 'abc123';          //database password here

?>

---

Pretty simple eh?




To add users I did this script.

PHP Code:

---

?php
session_start();
include('compconfig.php');


//add short form variables
$username = $_POST['username'];
$email = $_POST['email'];
$password1 = $_POST['password1'];
$password2 = $_POST['password2'];


//make sure the user didn't put in a huge string as a joke
if(strlen($username)> 10)
{
        echo 'Please limit your username to only 10 characters.';
        exit;
}
if(strlen($email)> 40)
{
        echo 'Please limit your email size to only 40 characters.';
        exit;
}
if(strlen($password1)> 30)
{
        echo 'Please limit your password size to only 30 characters.';
        exit;
}


//trim the whitespace around the entry
$username = trim($username);
$email = trim($email);
$password1 = trim($password1);
$password2 = trim($password2);

//prevent any type of html characters or hacking attempts to be processed.

$username = htmlspecialchars($username);
$email = htmlspecialchars($email);
$password1 = htmlspecialchars($password1);
$password2 = htmlspecialchars($password2);


//did they enter a name?
if (!$username)
{
    echo 'You forgot to enter a username!';
    echo '
 [url="register.html"]Go Back[/url]';
    exit;
} 
//did they enter an email?
if (!$email)
{    
    echo 'You forgot to enter an email address!';
    echo '
 [url="register.html"]Go Back[/url]';
    exit;
}
//did they enter the passwords?
if (!$password1 || !$password2)
{
    echo 'You forgot to enter the passwords';
    echo '
 [url="register.html"]Go Back[/url]';
    exit;
}
//do the passwords match?
if ($password1 != $password2)
{
    echo 'Your passwords do not match!';
    echo '
 [url="register.html"]Go Back[/url]';
    exit;
}

//They are ready to register, so now we make the data safe for the database by adding escape characters

$username = addslashes($username);
$email = addslashes($email);
$password1 = addslashes($password1);
$password2 = addslashes($password2);



//Check to see if the user name is already in the database
  $sql = mysql_connect($dbhost, $dbuser, $dbpasswd);
 
  mysql_select_db($dbname, $sql);

  $query = 'select * from auth '
           ."where username='$username' ";
  $result = mysql_query($query, $sql);
  
  if(!$result)
  {
      echo 'The database is not available at this time.';
    echo '
 Please try your query at another time.
Error = 1';
    exit;
  }
  
  $num_rows = mysql_num_rows($result);
  if ($num_rows >0 )
  {
          echo 'Sorry, but the username '.stripslashes($username).' is already taken.';
        echo '
Please choose another username.';
        echo '
 [url="register.html"]Go Back[/url]';
        exit;
  }
 
//test to see if the e-mail is already in the system, this prevents double registration 
   
 
  mysql_select_db($dbname, $sql);

  $query4 = 'select * from auth '
           ."where email='$email' ";
  $result4 = mysql_query($query4, $sql);
  
  if(!$result4)
  {
      echo 'The database is not available at this time.';
    echo '
 Please try your query at another time.
Error = 4';
    exit;
  }
  
  $num_rows4 = mysql_num_rows($result4);
  if ($num_rows4 >0 )
  {
          echo 'Sorry, but the email address '.stripslashes($email).' is already registered.';
        echo '
Please choose another email address.';
        echo '
 [url="register.html"]Go Back[/url]';
        exit;
  }
 
 
 //If all goes well, register the user.
 
 
 
  $query2 = 'insert into auth values '
              ."( '', '$username', password('$password1'), '$email', 'no', 'no' )"; 
  $result2 = mysql_query($query2, $sql);
  
  if(!$result2)
  {
      echo 'The database is not available at this time.';
    echo '
 Please try your query at another time.
Error = 2';
    exit;
  }
  
  $query3 = 'select * from auth '
              ."where username='$username' ";
  $result3 = mysql_query($query, $sql);
  
  if(!$result3)
  {
      echo 'The database is not available at this time.';
    echo '
 Please try your query at another time.
Error = 3';
    exit;
  }
  
  $num_rows2 = mysql_num_rows($result3);
  if ($num_rows2 >0 )
  {
      echo "Thank you for registering ".stripslashes($username)."!";
    echo "
You may now <a href = 'authmain.php'>login</a>.";
}


  
            


?> 


---

Simply either add a register.html form and have it refer to this script, or just add the form in there somewhere. You can test this script by going to

http://www.planetmaddness.com/comp/register.html

xmad

i think i almost got it, but i have a few more quetsions. I'm not too familier with the "tables"thing in mySQL so i have phpMyAdmin. What do i put in the table name and amount of fields area? Also, what would i put in the other areas in MyAdmin? Thanks

IN my admin put the following code in a sql query.

Quote:

---

create table auth (
userid int unsigned not null auto_increment primary key,
username varchar(10) not null,
password varchar(30) not null,
email varchar(40) not null,
activation varchar(3) not null,
admin varchar(3) default 'no' not null

);

insert into auth values
( '1', 'user', 'pass', '[email protected]', 'yes', 'no');

insert into auth values
( '', 'testuser', password('test123'), '[email protected]', 'yes', 'no' );





grant select, insert, update, delete
on auth.*
to databaseusernamehere
identified by 'databasepasshere';

---

This will insert the table headings and prepare the database for use. It will also insert two example users.


xmadd

ok, i have a few more problems. It seems that I cant login. Now, i'm connecting to the database, but i am not sure if i set the table up right or anything, and
myPHPadmin did give me an error message when i tried to set it up, but it still showed the table and stuff, so i'm not sure if there's anything wrong with it. I just get "Could not Log you in"

Does this have to do with the password('$password')"; part and what does the password() thing do?

Anwyay, i really appresiate all the help, and thanks for bearing with me o.0