Page 3 of 3 FirstFirst 123
Results 21 to 29 of 29

Thread: PHP Security

  1. #21
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123
    What error message did you recieve. It may have been telling you that you don not have authority to grant permissions, which shouldn't be needed on a phpmyadmin type database anyway. Thats really only if your loading the database on your own system. Usually when a database is generated from a hosting company, they set up all the user grant information for you.

    If the table is in there, then you should be fine.

    The password('password') function is an encryption that MySQL uses for passwords. If you look at the table created

    select * from auth;

    The first insert in the database is an example of not using the password('password') utility. If you look at the table, you will notice the password in plaintext.

    The second insert should show where you inserted password('test123') as 6j9h576KHn86H4mk4 or some other variation of a hash. This just keeps passwords entered into the database secure.

    Are you using the testuser login?

    Try
    login: user
    pass: pass

    Also try the other,

    login: testuser
    pass: test123


    The databse structure is basically this. The First column is the UserID: If you notice, it is an auto-increment function, that will automatically increase its number by 1 anytime a new user is added to the databse. It is good to have a unique ID attached to all things in the database.

    The second column is the username, third is the password, the fourth is the e-mail of the person, and the fifth and sixth are things I added to the system. By default, when someone registers, they are marked as admin no, and activated, no. This was something that was put in to limit access to admin scripts, (add remove user, activate user, etc etc). The activation thing is also in there because at one point I will require user to activate themselves via their email. This ensures that the e-mail provided is actually theirs.

    Let me know if you have any more questions.

    xmadd

  2. #22
    Banned
    Join Date
    Apr 2003
    Posts
    51
    Ok, i think i got most of it. I've narrowed the problem down to the "password('pass') thing, cause it works fine with the first example, but

    with the fuction, it wont work unless you put the hash in. Here's what i entered into the SQL thing...

    Code:
    create table auth ( 
    userid int unsigned not null auto_increment primary key, 
    username varchar(10) not null, 
    password varchar(30) not null, 
    email varchar(40) not null
    
    ); 
    
    insert into auth values 
    ( '1', 'user', 'pass', 'test@planetmaddness.com'); 
    
    insert into auth values 
    ( '', 'admin', password('admin'), 'testuser@planetmaddness.com'); 
    
    grant select, insert, update, delete 
    on auth.* 
    to tsr-corp 
    identified by 'password';
    and i got this..

    Code:
    Error
    
    SQL-query :  
    
    GRANT SELECT , INSERT , UPDATE , DELETE ON auth . * TO tsr - corpIDENTIFIED BY 'admin' 
    
    MySQL said: 
    
    
    #1064 - You have an error in your SQL syntax near '-corp 
    identified by 'password'' at line 3
    but besides that, it seems to be working pretty well ^_^

  3. #23
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123
    Yeah, thats most likly because your using someone elses sql database and they don't want you messing with password and users to that database. They don't want you to be able to change any permissions on your database without them knowing. So all you have to do is take out that last part and just finish with the last insert statement.


    Code:
    create table auth ( 
    userid int unsigned not null auto_increment primary key, 
    username varchar(10) not null, 
    password varchar(30) not null, 
    email varchar(40) not null
    
    ); 
    
    insert into auth values 
    ( '1', 'user', 'pass', 'test@planetmaddness.com'); 
    
    insert into auth values 
    ( '', 'admin', password('admin'), 'testuser@planetmaddness.com');

    Thats it...

    If you look in the database you should notice that your password('admin') has be hashed in the actual database.

    xmad

  4. #24
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123
    I just reread your last post again and noticed you said that the password('admin') was not working right. Are you inserting the password admin in correctly?

    It should work fine. Check to make sure your script is right and is checking the databses pass by doing the query as


    $query = 'select * from auth '
    ."where username='$userid' "
    ." and password=password('$password')";

    the password=password('$password') part is the important part. Its querying the database by taking the seed, (admin) and passing it into a hash, and then comparing those hashes.

    That would be the only reason I could think of for it not to be working properly. Make sure your table is named

    auth
    and that should be it.

    Let me know what happens.


    xmad

  5. #25
    Junior Member
    Join Date
    May 2003
    Posts
    2
    Please refer
    Programming PHP by Rasmus Waldorf and Kevin Tatroe, chapter 12.

  6. #26
    Banned
    Join Date
    Apr 2003
    Posts
    51
    ok, i think i got it, well kinda, i think it was the creating a table part where it messed up, cause the password encyrt thing is working now, although the non-encrypted password doesn't work, but i dont think that should be a problem because i would probably encrypt them. I really appresiate all the help. I'll probably try to do an edit password and forgot password thing, but i'll email you if i have problems. Again, much thanks ^_^

  7. #27
    this whole thread is really helpful! Cheers guys, i have obne question really though on the database stuff...i havent done that since I left school, are there any tutorials on setting up the databases from scratch for a newbie with a php login script in mind??

    Thanks

    Sco

  8. #28
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123
    I personally learned everything from the MySQL documentation. Its actually pretty good documentatin. here are some other sites that have tutorials on PHP/MySQL relationships (and database creation)

    http://hotwired.lycos.com/webmonkey/...tutorial4.html

    http://www.mysql.com/doc/en/Tutorial.html

    http://www.freewebmasterhelp.com/tutorials/phpmysql/1


    That should get you started. Let me know if you have any specific questions that arise.

    xmaddness
    Planet Maddness Industries
    http://www.planetmaddness.com

  9. #29
    Junior Member
    Join Date
    Apr 2004
    Posts
    1

    Lightbulb General security

    An idea similar to xmaddness's

    Get it to only accept the a-z A-Z 0-9 characters for your user name and password that way you dont get any unwanted/ unknow characters and scripts doing dodgy things to your system.

    DHabit

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •