[PHP] Security Question with my password protected login script...

2004-12-08 Thread Ian Gray 
Hello all,

I have the following script called login.inc which I include at the
beginning of each page on my customer control panel.  Basically it checks to
see if a session has been created with user details and if it has it carries
on with the rest of the page and if not the login screen is printed.

My question is, how secure is this?  I have the password, username etc in a
MYSQL database but I haven't encrypted it (don't know how)

Should I have login.inc in a folder below my public_html directory?

I have removed some details such as passwords and swapped that with question
marks.

Many thanks,

Ian Gray

Here is the code?


?
session_start(); // start session.
if(!isset($username) | !isset($password)) {
// escape from php mode.
?

html xmlns=http://www.w3.org/1999/xhtml;
head
meta http-equiv=Content-Type content=text/html; charset=iso-8859-1 /
titleCustomer Login/title
link href=login.css rel=stylesheet type=text/css /

script language=JavaScript type=text/javascript

/head

body onLoad=self.focus();document.customerlogin.username.focus() 



form action=?=$PHP_SELF??if($QUERY_STRING){ echo?. $QUERY_STRING;}?
method=POST name=customerlogin id=customerlogin

table width=500 height=320  border=1 align=center cellpadding=0
cellspacing=0 bordercolor=#33 background=images/login.jpg
  tr
td valign=toptable width=500 border=0 cellspacing=0
cellpadding=0
  tr
td bgcolor=#343399div align=rightimg src=images/cl.jpg
alt=Customer Logingt;gt;gt; width=400 height=40 //div/td
  /tr
  tr
tdpnbsp;/p
  pnbsp;/p/td
  /tr
  tr
td class=textydiv align=centerCustomer control panel. Please
enter
  your username and password into the boxes below:/div/td
  /tr
  tr
tdtable width=300 border=0 align=center cellpadding=0
cellspacing=5
  tr
tdnbsp;/td
tdnbsp;/td
  /tr
  tr
td class=blueyUsername:/td
tdinput name=username type=text class=formy/td
  /tr
  tr
td class=blueyPassword:/td
tdinput name=password type=password class=formy/td
  /tr
  tr
tdnbsp;/td
td
div align=center
  input type=submit class=formy
value=Logingt;gt;gt;
  /div/td/tr
/table/td
  /tr
  tr
tdnbsp;/td
  /tr

/table/td
  /tr
/table/form
/body
/html
?
exit();
}

// If all is well so far.
session_register(IIDD);
session_register(firstname);
session_register(username);
session_register(password); // register username and password as session
variables.

// Here you would check the supplied username and password against your
database to see if they exist.
// For example, a MySQL Query, your method may differ.
$link = mysql_connect(?, ?, ?) or die(Could not
connect);
mysql_select_db(s??) or die(Could not select database);
$sql = mysql_query(SELECT customerID, password, firstname FROM
customer_details WHERE username = '$username');
$fetch_em = mysql_fetch_array($sql);
$numrows = mysql_num_rows($sql);

if($numrows != 0  $password == $fetch_em[password]) {
$valid_user = 1;
}
else {
$valid_user = 0;
}

$firstname = $fetch_em[firstname];
$IIDD = $fetch_em[customerID];
// If the username exists and pass is correct, don't pop up the login code
again.
// If info can't be found or verified

if (!($valid_user))
{
session_unset();   // Unset session variables.
session_destroy(); // End Session we created earlier.
// escape from php mode.
?
html xmlns=http://www.w3.org/1999/xhtml;
head
meta http-equiv=Content-Type content=text/html; charset=iso-8859-1 /
titleCustomer Login/title
link href=login.css rel=stylesheet type=text/css /
/head

body
br /
form action=?=$PHP_SELF??if($QUERY_STRING){ echo?. $QUERY_STRING;}?
method=POST


table width=500 height=320  border=1 align=center cellpadding=0
cellspacing=0 bordercolor=#33 background=images/login.jpg
  tr
td valign=toptable width=500 border=0 cellspacing=0
cellpadding=0
  tr
td bgcolor=#343399div align=rightimg src=images/cl.jpg
alt=Customer Logingt;gt;gt; width=400 height=40 //div/td
  /tr
  tr
tdpnbsp;/p
  pnbsp;/p/td
  /tr
  tr
td class=textydiv align=centerIncorrect username and/or
password.  Please enter correct ones to log in:/div/td
  /tr
  tr
tdtable width=300 border=0 align=center cellpadding=0
cellspacing=5
  tr
tdnbsp;/td
tdnbsp;/td
  /tr
  tr
td class=blueyUsername:/td
tdinput name=username type=text class=formy/td
  /tr
  tr
td class=blueyPassword:/td
tdinput name=password type=password class=formy/td
  /tr
  tr
tdnbsp;/td
td
div align=center
  input type=submit class=formy
value=Logingt;gt;gt;
  /div/td/tr
/table/td

Re: [PHP] Security Question with my password protected login script...

2004-12-08 Thread Richard Lynch 
Ian Gray wrote:
 Hello all,
 My question is, how secure is this?  I have the password, username etc in
 a
 MYSQL database but I haven't encrypted it (don't know how)

The MySQL 'password' function at http://mysql.com would work.

For something that is portable to non MySQL systems, you can use
http://php.net/crypt

 Should I have login.inc in a folder below my public_html directory?

Ideally, *NO* you should not.

It should be a in a directory that is *NOT* below your public_html directory.

Make a directory called 'includes' or 'php' or something similar that is
*NEXT* to your public_html directory.

Then, using either .htaccess and:
php_value include_path ./:/complete/path/from/root/of/server/to/includes

or perhaps http://php.net/set_include_path or http://php.net/set_ini you
want to convince PHP that the directory you just created is in your
include_path.

 I have removed some details such as passwords and swapped that with
 question
 marks.

Good!

 ?
 session_start(); // start session.
 if(!isset($username) | !isset($password)) {

This should be || and not |, really.

 // escape from php mode.
 ?

 html xmlns=http://www.w3.org/1999/xhtml;
...
 /html
 ?
 exit();
 }

 // If all is well so far.
 session_register(IIDD);
 session_register(firstname);
 session_register(username);
 session_register(password); // register username and password as session
 variables.

Not such a good idea, maybe.

They end up being in a file that *ANY* PHP script on your server can use.

If you are on a shared server, that means *EVERY* other user on your
machine that has access to PHP can read the username and password from
your session files.

What you might consider is storing their PHPSESSID into a table in your
database with their username.  You then can look them up with the PHPSESID
that will be given back to you from their browser on each page.  Also
store the date/time, and update it to now() in every script/page. 
Anything older than X minutes, you should consider an expired login, and
force them back to logging in again.

 // Here you would check the supplied username and password against your
 database to see if they exist.
 // For example, a MySQL Query, your method may differ.
 $link = mysql_connect(?, ?, ?) or die(Could not
 connect);
 mysql_select_db(s??) or die(Could not select database);
 $sql = mysql_query(SELECT customerID, password, firstname FROM
 customer_details WHERE username = '$username');

If you use MySQL's 'password' function, you can do like:

SELECT customer_ID, password = password('$password'), firstname FROM ...

You'll get either 1 or 0 if their password matches the encrypted version
in your database, but you won't actually have their password stored in the
database, and that's Good.

If you want to use crypt, something more like:

SELECT ..., password, ... FROM ...;
.
.
.
if (crypt($password, substr($fetch_em[password], 0, 2)) ==
$fetch_em[password]){
   $valid_user = 1;
}
else{
  $valid_user = 0;
}

 $fetch_em = mysql_fetch_array($sql);
 $numrows = mysql_num_rows($sql);

 if($numrows != 0  $password == $fetch_em[password]) {
 $valid_user = 1;
 }
 else {
 $valid_user = 0;
 }

 $firstname = $fetch_em[firstname];
 $IIDD = $fetch_em[customerID];
 // If the username exists and pass is correct, don't pop up the login code
 again.
 // If info can't be found or verified

 if (!($valid_user))
 {
 session_unset();   // Unset session variables.
 session_destroy(); // End Session we created earlier.
 // escape from php mode.
 ?
 html xmlns=http://www.w3.org/1999/xhtml;
...

 /html
 ?
 exit();
 }
 ?


Since all the HTML in the two places I put ... is the same (right?) then
that should be an include file, so you can't get them out of sync.

Better yet, would be to re-structure your page so that the first form is
just not there, and you only TRY to log in if (isset($_POST['username']))

So your page is more like this:

?php
if (isset($_POST['username'])){
  //check if they are kosher, and decide on $valid_user setting
}
if (!$valid_user){
?
HTMLlogin form/HTML
?php
  exit;
}
?

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Security Question with my password protected login script...

2004-12-08 Thread John Holmes 
Richard Lynch wrote:
Ian Gray wrote:
My question is, how secure is this?  I have the password, username etc in
a
MYSQL database but I haven't encrypted it (don't know how)
The MySQL 'password' function at http://mysql.com would work.
For something that is portable to non MySQL systems, you can use
http://php.net/crypt
You should not use the MySQL PASSWORD() function within your own 
applications. MD5() is a good alternative as it's implemented in many 
programs including PHP and MySQL.

Other suggestions were good, though. :)
--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals  www.phparch.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php