I posted this yesterday and did not get any response at all? Just wondering
if someone can give me some insight into some security measures for a
content management application...
Posted 06/05/2002
Ok, I am not a security expert so I would like to know if my security
measures I have implimented is adequate enough to keep people out. Any
pointers on this would be very helpful as I am trying to impliment a secure
way for people to update a website through the use of a content management
application. Example of code is as follows
// Login form - index.php
<form name="authenticate" method="post" action="auth_done.php">
<input type="text" name="user" size="20" maxlength="20"><br>
<input type="password" name="pw" size="20" maxlength="20"><br>
Select an image to identify yourself as an administrator.<br>
<select name="image">
<option value="image01.jpg">image01</option>
<option value="image02.jpg">image02</option>
<option value="image03.jpg">image03</option>
<option value="image04.jpg">image04</option>
<option value="image05.jpg">image05</option>
</select><br><br>
<input type="submit" name="Login" value="Login">
<input type="reset" name="Reset" value="Reset">
</form>
// Authentication checker - auth_done.php
#############check fields for valid entries in form############
if ((!$u_name) || (!$p_word) || (!$image)){
header("Location: index.php");
exit;
}
############connects to database############
require '/path/to/database/connection/script/dbcon.php';
#############selects database table containing users that are allowed to
use application############
$db_table = 'users';
$sql = "SELECT * from $db_table WHERE un = \"$user\" AND pw =
password(\"$pw\")";
$result = @mysql_query($sql,$dbh) or die("Couldn't execute query");
#############loops through all records to find a match############
$num = mysql_numrows($result);
if ($num !=0) {
#############creates variables for sessions############
$p_hash = "$p_word";
$to_hash = "$image";
#############creates md5 hash of image user selected############
$pstring = md5($to_hash);
#############creates md5 hash of password user entered############
$image_sel = md5(uniqid(microtime($p_word),1));
#############starts session for user############
session_start();
#############registers variables created (md5 of password, username, &
image) in session############
session_register('user');
session_register('$pstring');
session_register('$image_sel');
#############captures users ip address (logging stuff, not listed in this
code for security reasons)############
$ipaddy = $REMOTE_ADDR;
#############echoes success message to authenticated user############
$msg_success = "<b>You have been authorized to make changes to the
website! Your IP address has been recorded and sent to the administrator:
$ipaddy</b>";
} else {
#############this prints if user name and password combination is not
found in database############
print "<p>You are not authorized to use this application!</p>";
exit;
}
Now on each page in the content management app I have these lines of code:
#############Start the session#############
session_start();
#############check session variables#############
if (isset($HTTP_SESSION_VARS['user']) ||
isset($HTTP_SESSION_VARS['$image_sel']) ||
isset($HTTP_SESSION_VARS['$pstring'])) {
$main = "Some kinda message for page in question";
#############connects to database#############
require '/path/to/database/connection/script/dbcon.php';
#############if session variables not registered kick the user back to
login form#############
} else {
header ("Location: index.php");
}
Now just so you know I have changed all the variables to something other
than what I am currently using, however I have made sure that this is a
working example so everything should work as is. Also I have tested this a
few different ways, including: creating a page that tries to include one of
the pages I have my security checks on from another website, linking
directly to a script within the application etc. In any event, I also have
logging setup on each and every script which I have not included here
(different topic), just in case someone does get in I can at least "try" to
find them. Any help, pointers, tutorials, examples, etc. would be
appreciated!!!
TIA
Jas
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
