Re: [PHP] Simple login form with cookies
On Wednesday 08 July 2009 04:25:46 Carl Furst wrote: These are great ideas. Another option would be to have the user choose a pin number and use either the literal pin or the encrypted pin as part of the salt. This way only when you change the pin do you need to change the password, which is probably what you would want anyway. Michael A. Peters wrote: Carl Furst wrote: ? $salt = 'someglobalsaltstring'; # the salt should be the same salt used when storing passwords to your database otherwise it won't work $passwd = crypt($_GET['passwd'], $salt); I personally use the username and the salt. That way two users with identical passwords have different hashes. With large databases, many users will have the same password, there are some that are just commonly used. The hackers know what they are, and if they get your hash dump, they try their list of commonly used passwords against the user names that have the common hashes. By using the username as part of the salt, you avoid that issue because identical passwords will have different hashes. It does mean the password has to be reset if you allow them to change their login name. and then make a visit to their house to give them a secondary password that they have to use. Make sure you're not tailed on the way to avoid the password being intercepted... Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Tue, Jul 7, 2009 at 11:05 PM, Michael A. Petersmpet...@mac.com wrote: Carl Furst wrote: ? $salt = 'someglobalsaltstring'; # the salt should be the same salt used when storing passwords to your database otherwise it won't work $passwd = crypt($_GET['passwd'], $salt); I personally use the username and the salt. That way two users with identical passwords have different hashes. With large databases, many users will have the same password, there are some that are just commonly used. The hackers know what they are, and if they get your hash dump, they try their list of commonly used passwords against the user names that have the common hashes. By using the username as part of the salt, you avoid that issue because identical passwords will have different hashes. It does mean the password has to be reset if you allow them to change their login name. The password does not need to be reset. You could require that they provide the password again (even though they are already authenticated) on the same form with the new username. Then you can do the same encrypt/compare that you do for authentication, and if it matches you just update the username and the hash at the same time. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
$sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\' and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password .'\'))'; I use this solution because md5 run faster in Mysql On Wed, Jul 8, 2009 at 10:28 AM, Andrew Ballardaball...@gmail.com wrote: On Tue, Jul 7, 2009 at 11:05 PM, Michael A. Petersmpet...@mac.com wrote: Carl Furst wrote: ? $salt = 'someglobalsaltstring'; # the salt should be the same salt used when storing passwords to your database otherwise it won't work $passwd = crypt($_GET['passwd'], $salt); I personally use the username and the salt. That way two users with identical passwords have different hashes. With large databases, many users will have the same password, there are some that are just commonly used. The hackers know what they are, and if they get your hash dump, they try their list of commonly used passwords against the user names that have the common hashes. By using the username as part of the salt, you avoid that issue because identical passwords will have different hashes. It does mean the password has to be reset if you allow them to change their login name. The password does not need to be reset. You could require that they provide the password again (even though they are already authenticated) on the same form with the new username. Then you can do the same encrypt/compare that you do for authentication, and if it matches you just update the username and the hash at the same time. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Martin Scotta -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
First, a reminder to several (including some in this thread) that top-posting is against the law here. On Wed, Jul 8, 2009 at 09:48, Martin Scottamartinsco...@gmail.com wrote: $sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\' and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password .'\'))'; Second, another, more important reminder: ?php $username = ' OR 1 OR '; ? Since the first rows in a database are usually the default administrator logins, the first to match what is basically a 'match if this is a row' statement will be logged in. The moral of the story: don't forget to clean your input (which I'm sure ya'all were doing but with top-posters, you never know ;-P). -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Wed, Jul 8, 2009 at 9:48 AM, Martin Scottamartinsco...@gmail.com wrote: $sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\' and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password .'\'))'; I use this solution because md5 run faster in Mysql -- Martin Scotta If you were running a loop to build a rainbow table or brute-force a password, I could see where that would matter. For authenticating a single user it seems like premature optimization to me. On my development machine, where PHP runs slow inside of the IDE, the average time to perform an md5 hash on a text string of 38 characters (much longer than most passwords) over 1 iterations is around 0.00085 seconds. I can live with that. :-) I still like handling the encryption in PHP and then passing the encrypted value to the database for storage/comparison. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Wed, Jul 8, 2009 at 10:44 AM, Andrew Ballardaball...@gmail.com wrote:
On Wed, Jul 8, 2009 at 9:48 AM, Martin Scottamartinsco...@gmail.com wrote:
$sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\'
and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password
.'\'))';
I use this solution because md5 run faster in Mysql
--
Martin Scotta
If you were running a loop to build a rainbow table or brute-force a
password, I could see where that would matter. For authenticating a
single user it seems like premature optimization to me. On my
development machine, where PHP runs slow inside of the IDE, the
average time to perform an md5 hash on a text string of 38 characters
(much longer than most passwords) over 1 iterations is around
0.00085 seconds. I can live with that. :-) I still like handling the
encryption in PHP and then passing the encrypted value to the database
for storage/comparison.
Andrew
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
You shouldn't be using md5 or sha1 to hash passwords as both have been
attacked and successfully exploited. There are other hashing
functions in PHP that you should use. And FWIW, you WANT hashing to
be slow. The faster it is, the less complicated the algorithm is
(assuming all implementations are equal), the more easy it is to
break. And if you're storing hashed passwords as a means of
verification, SALT THEM FOR CHRIST'S SAKE.
//somewhere where you can access it several places, like config.php
define('SALT', '2435kh...@#$@#14asdnaksa10=nsdf'); //random
characters, the longer and more random, the better. If it was email
compatible, I'd have given a real salt read out of /dev/random at
some point, like you should be doing.
//prepare the password
$password = $_POST['password'] . SALT;
$password = hash('sha512', $password); //assume you've validated
$_POST['password']
//query the database to make sure the password is the right one
$stmt = $db-prepare('SELECT password FROM users WHERE user_name=?);
$stmt-bindParam(1, $password);
list($dbPass) = $stmt-fetch();
if($dbPass == $password) {
echo 'success';
} else {
echo 'failure';
}
The reason you salt passwords, especially with binary characters, is
that without knowing what the salt is, it's nearly impossible to
create a rainbow table and run rainbow table attacks on your database.
It costs nearly nothing to do, in terms of resource usage and any
sort of human comprehensible scheme to store those hashes is easily
broken. I've seen {$user}{$randomCharacter}{$password} used before,
and I'd never recommend something so simple.
--Eddie
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
Daniel Brown wrote: First, a reminder to several (including some in this thread) that top-posting is against the law here. On Wed, Jul 8, 2009 at 09:48, Martin Scottamartinsco...@gmail.com wrote: $sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\' and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password .'\'))'; Second, another, more important reminder: ?php $username = ' OR 1 OR '; ? Since the first rows in a database are usually the default administrator logins, the first to match what is basically a 'match if this is a row' statement will be logged in. The moral of the story: don't forget to clean your input (which I'm sure ya'all were doing but with top-posters, you never know ;-P). prepared statements really do a pretty good job at neutering sql injection. But one shouldn't be lazy with input validation anyway. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
Michael A. Peters wrote:
Daniel Brown wrote:
First, a reminder to several (including some in this thread) that
top-posting is against the law here.
On Wed, Jul 8, 2009 at 09:48, Martin Scottamartinsco...@gmail.com
wrote:
$sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\'
and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password
.'\'))';
Second, another, more important reminder:
?php
$username = ' OR 1 OR ';
?
Since the first rows in a database are usually the default
administrator logins, the first to match what is basically a 'match if
this is a row' statement will be logged in. The moral of the story:
don't forget to clean your input (which I'm sure ya'all were doing
but with top-posters, you never know ;-P).
prepared statements really do a pretty good job at neutering sql
injection. But one shouldn't be lazy with input validation anyway.
I have a couple of questions/comments re all this:
1. Doing the login and processing through https should add a bit more
security, it seems to me.
2. Cleaning is another bloody headache, for me anyway. I have found that
almost every time I try to do some cleaning with trim and
mysql_real_escape_string and stripslashes wipes out my usernames and
passwords. I havent' been able to use them when doing the crypt and
encrypt stuff with salt. Without cleaning it works fine... so, I'm a bit
lost on this.
Specifically, this wipes out my login and password... (I know, this is
old code, but it is supposed to work, no? )
//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
//Sanitize the POST values
$login = clean($_POST['login']);
$password = clean($_POST['password']);
When I echoes the cleaned $login and $password, they looked like they
had just gone through an acid bath before being hit by katerina
(hurricane)... ;-) rather whitewashed and empty. There was nothing left
to work with.
--
Hervé Kempf: Pour sauver la planète, sortez du capitalisme.
-
Phil Jourdan --- p...@ptahhotep.com
http://www.ptahhotep.com
http://www.chiccantine.com/andypantry.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Wed, Jul 8, 2009 at 11:53 AM, PJaf.gour...@videotron.ca wrote:
Michael A. Peters wrote:
Daniel Brown wrote:
First, a reminder to several (including some in this thread) that
top-posting is against the law here.
On Wed, Jul 8, 2009 at 09:48, Martin Scottamartinsco...@gmail.com
wrote:
$sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\'
and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password
.'\'))';
Second, another, more important reminder:
?php
$username = ' OR 1 OR ';
?
Since the first rows in a database are usually the default
administrator logins, the first to match what is basically a 'match if
this is a row' statement will be logged in. The moral of the story:
don't forget to clean your input (which I'm sure ya'all were doing
but with top-posters, you never know ;-P).
prepared statements really do a pretty good job at neutering sql
injection. But one shouldn't be lazy with input validation anyway.
I have a couple of questions/comments re all this:
1. Doing the login and processing through https should add a bit more
security, it seems to me.
It does add security between your user's web browser and the web
server. It's up to you to keep it secure once you receive it.
2. Cleaning is another bloody headache, for me anyway. I have found that
almost every time I try to do some cleaning with trim and
mysql_real_escape_string and stripslashes wipes out my usernames and
passwords. I havent' been able to use them when doing the crypt and
encrypt stuff with salt. Without cleaning it works fine... so, I'm a bit
lost on this.
Specifically, this wipes out my login and password... (I know, this is
old code, but it is supposed to work, no? )
//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
//Sanitize the POST values
$login = clean($_POST['login']);
$password = clean($_POST['password']);
When I echoes the cleaned $login and $password, they looked like they
had just gone through an acid bath before being hit by katerina
(hurricane)... ;-) rather whitewashed and empty. There was nothing left
to work with.
One thing to check - I'm pretty sure that mysql_real_escape_string
will only work if you have an open connection to mysql, because it
uses that connection to figure out what character encoding is being
used so it can escape the string accordingly. (If unable to connect,
it should raise an E_WARNING.)
I'm not sure why you would need to use @ with trim(), but that shouldn't matter.
Otherwise, nothing in there should mangle the input.
Andrew
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
No it isn't. That's just your personal preference. Mine is different. -- Tony Marston http://www.tonymarston.net http://www.radicore.org PJ af.gour...@videotron.ca wrote in message news:4a54c0e8.2080...@videotron.ca... Michael A. Peters wrote: Daniel Brown wrote: First, a reminder to several (including some in this thread) that top-posting is against the law here. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Wed, Jul 8, 2009 at 12:14, Tony Marstont...@marston-home.demon.co.uk wrote: No it isn't. That's just your personal preference. Mine is different. Uhh Tony, if that's in response to me, you're wrong. Please read the rules before posting what you believe to be fact. ;-P -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
What rules? I never agreed to abide by any rules before I started posting to this group. My newsreader assumes top posting by default, so I have been top posting for the past 10 years. If you don't like it then it is your problem, not mine. -- Tony Marston http://www.tonymarston.net http://www.radicore.org Daniel Brown danbr...@php.net wrote in message news:ab5568160907080916o1cf9b60et395458e575ee0...@mail.gmail.com... On Wed, Jul 8, 2009 at 12:14, Tony Marstont...@marston-home.demon.co.uk wrote: No it isn't. That's just your personal preference. Mine is different. Uhh Tony, if that's in response to me, you're wrong. Please read the rules before posting what you believe to be fact. ;-P -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Wed, Jul 8, 2009 at 12:38, Tony Marstont...@marston-home.demon.co.uk wrote: What rules? I never agreed to abide by any rules before I started posting to this group. My newsreader assumes top posting by default, so I have been top posting for the past 10 years. If you don't like it then it is your problem, not mine. Absolutely 100% completely incorrect, and in all honesty, that's quite an ignorant attitude. That's not to say that I think *you* are ignorant, but rather the attitude toward established rules and guidelines that have been around long before you began posting, and will remain long after you leave. See: http://php.net/mailing-lists.php --- which links to: http://php.net/reST/php-src/README.MAILINGLIST_RULES (Specifically: General #3) So while it's my problem, it is also *your* problem, as the offender. If you didn't agree to rules beforehand, that's your issue. Ignorance is not a defense. You were - or had the opportunity to be - made aware of the rules of the list, and as such, agree to abide by them by continuing to post in this - or any - public forum. Much the same as, by traveling to a foreign country, you agree to be bound by their rules and regulations. You cannot simply claim that you did not know of a rule. And for the record, Gmail assumes top-posting as well. It takes between one and three seconds to align each message properly, which is a pain in the butt each time, I agree, but it's something that has to be done. Otherwise, it breaks threads and makes the archives very difficult to read --- damning the purpose of even having them there for the benefit of others on the Internet. For years, we've all adapted to this, because they were the rules, and because we respect each other enough in the community to follow them. Here's hoping that you won't be the odd-man-out of that respectful group. Thanks. -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
I do not regard that as a concrete rule, and certainly not one worth bothering about. Lots of newsgroups I visited before coming here allowed top posting, so it is arrogant for someone to say I personally don't like top posting, so I'll make a rule that disallows it. A sensible rule, and one which I have no problem in following, is that if a question is posted in English then I will answer in English. That makes sense, whereas no top posting does not. -- Tony Marston http://www.tonymarston.net http://www.radicore.org Daniel Brown danbr...@php.net wrote in message news:ab5568160907080950o7fa7af0ckbee192b34410e...@mail.gmail.com... On Wed, Jul 8, 2009 at 12:38, Tony Marstont...@marston-home.demon.co.uk wrote: What rules? I never agreed to abide by any rules before I started posting to this group. My newsreader assumes top posting by default, so I have been top posting for the past 10 years. If you don't like it then it is your problem, not mine. Absolutely 100% completely incorrect, and in all honesty, that's quite an ignorant attitude. That's not to say that I think *you* are ignorant, but rather the attitude toward established rules and guidelines that have been around long before you began posting, and will remain long after you leave. See: http://php.net/mailing-lists.php --- which links to: http://php.net/reST/php-src/README.MAILINGLIST_RULES (Specifically: General #3) So while it's my problem, it is also *your* problem, as the offender. If you didn't agree to rules beforehand, that's your issue. Ignorance is not a defense. You were - or had the opportunity to be - made aware of the rules of the list, and as such, agree to abide by them by continuing to post in this - or any - public forum. Much the same as, by traveling to a foreign country, you agree to be bound by their rules and regulations. You cannot simply claim that you did not know of a rule. And for the record, Gmail assumes top-posting as well. It takes between one and three seconds to align each message properly, which is a pain in the butt each time, I agree, but it's something that has to be done. Otherwise, it breaks threads and makes the archives very difficult to read --- damning the purpose of even having them there for the benefit of others on the Internet. For years, we've all adapted to this, because they were the rules, and because we respect each other enough in the community to follow them. Here's hoping that you won't be the odd-man-out of that respectful group. Thanks. -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Wed, Jul 8, 2009 at 12:50 PM, Daniel Browndanbr...@php.net wrote: On Wed, Jul 8, 2009 at 12:38, Tony Marstont...@marston-home.demon.co.uk wrote: What rules? I never agreed to abide by any rules before I started posting to this group. My newsreader assumes top posting by default, so I have been top posting for the past 10 years. If you don't like it then it is your problem, not mine. Absolutely 100% completely incorrect, and in all honesty, that's quite an ignorant attitude. That's not to say that I think *you* are ignorant, but rather the attitude toward established rules and guidelines that have been around long before you began posting, and will remain long after you leave. See: http://php.net/mailing-lists.php --- which links to: http://php.net/reST/php-src/README.MAILINGLIST_RULES (Specifically: General #3) So while it's my problem, it is also *your* problem, as the offender. If you didn't agree to rules beforehand, that's your issue. Ignorance is not a defense. You were - or had the opportunity to be - made aware of the rules of the list, and as such, agree to abide by them by continuing to post in this - or any - public forum. Much the same as, by traveling to a foreign country, you agree to be bound by their rules and regulations. You cannot simply claim that you did not know of a rule. And for the record, Gmail assumes top-posting as well. It takes between one and three seconds to align each message properly, which is a pain in the butt each time, I agree, but it's something that has to be done. Otherwise, it breaks threads and makes the archives very difficult to read --- damning the purpose of even having them there for the benefit of others on the Internet. For years, we've all adapted to this, because they were the rules, and because we respect each other enough in the community to follow them. Here's hoping that you won't be the odd-man-out of that respectful group. Thanks. -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Gmail on iPhone/iPod touch does the same thing. Fortunately with copy'n'paste I can now get it to work thru the email interface. The web version of gmail (while nicer looking) is giving me grief in moving to the bottom of the message when attempting a reply (hence the few replies that are top posted, sorry ;-P ) -- Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Wed, Jul 8, 2009 at 13:02, Tony Marstont...@marston-home.demon.co.uk wrote: I do not regard that as a concrete rule, and certainly not one worth bothering about. Lots of newsgroups I visited before coming here allowed top posting, so it is arrogant for someone to say I personally don't like top posting, so I'll make a rule that disallows it. A sensible rule, and one which I have no problem in following, is that if a question is posted in English then I will answer in English. That makes sense, whereas no top posting does not. No matter anymore. You've expressed your distaste for the rules and your intent on disregarding them, which - in turn - shows that (a) you believe yourself to be beyond the need to respect the guidelines the rest of the community follows; and (b) you couldn't give a damn about contributing to good, solid archives. There's certainly no way we can force you to follow the rules, so I'm done discussing it. It's just a shame that it's not going to work out in a manner that doesn't speak volumes about your negative attitude toward others. Best of luck in everything you do. -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Wed, 2009-07-08 at 13:03 -0400, Bastien Koert wrote: On Wed, Jul 8, 2009 at 12:50 PM, Daniel Browndanbr...@php.net wrote: On Wed, Jul 8, 2009 at 12:38, Tony Marstont...@marston-home.demon.co.uk wrote: What rules? I never agreed to abide by any rules before I started posting to this group. My newsreader assumes top posting by default, so I have been top posting for the past 10 years. If you don't like it then it is your problem, not mine. Absolutely 100% completely incorrect, and in all honesty, that's quite an ignorant attitude. That's not to say that I think *you* are ignorant, but rather the attitude toward established rules and guidelines that have been around long before you began posting, and will remain long after you leave. See: http://php.net/mailing-lists.php --- which links to: http://php.net/reST/php-src/README.MAILINGLIST_RULES (Specifically: General #3) So while it's my problem, it is also *your* problem, as the offender. If you didn't agree to rules beforehand, that's your issue. Ignorance is not a defense. You were - or had the opportunity to be - made aware of the rules of the list, and as such, agree to abide by them by continuing to post in this - or any - public forum. Much the same as, by traveling to a foreign country, you agree to be bound by their rules and regulations. You cannot simply claim that you did not know of a rule. And for the record, Gmail assumes top-posting as well. It takes between one and three seconds to align each message properly, which is a pain in the butt each time, I agree, but it's something that has to be done. Otherwise, it breaks threads and makes the archives very difficult to read --- damning the purpose of even having them there for the benefit of others on the Internet. For years, we've all adapted to this, because they were the rules, and because we respect each other enough in the community to follow them. Here's hoping that you won't be the odd-man-out of that respectful group. Thanks. -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Gmail on iPhone/iPod touch does the same thing. Fortunately with copy'n'paste I can now get it to work thru the email interface. The web version of gmail (while nicer looking) is giving me grief in moving to the bottom of the message when attempting a reply (hence the few replies that are top posted, sorry ;-P ) -- Bastien Cat, the other other white meat My email client does the same thing too, and I find it takes me a whole second and a half to move my cursor to the right point in the email. Averaging just over 60 messages in a month, that totals to just over a minute and a half. Damnit phpgeneral, give me that minute and a half back of my life! Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
I do not follows rules which cannot be justified beyond the expression It is there, so obey it! Why is it there? What are the alternatives? What harm does it do? What happens if the rule is disobeyed? Top posting existed in the early days of the internet, and for a logical reason. Then some arrogant prat came along and said I don't like this, so I am going to make a rule which forbids it!. I don't like this rule, so I choose to disobey it. -- Tony Marston http://www.tonymarston.net http://www.radicore.org Daniel Brown danbr...@php.net wrote in message news:ab5568160907081021x5e88fc74t90351df08b4d3...@mail.gmail.com... On Wed, Jul 8, 2009 at 13:02, Tony Marstont...@marston-home.demon.co.uk wrote: I do not regard that as a concrete rule, and certainly not one worth bothering about. Lots of newsgroups I visited before coming here allowed top posting, so it is arrogant for someone to say I personally don't like top posting, so I'll make a rule that disallows it. A sensible rule, and one which I have no problem in following, is that if a question is posted in English then I will answer in English. That makes sense, whereas no top posting does not. No matter anymore. You've expressed your distaste for the rules and your intent on disregarding them, which - in turn - shows that (a) you believe yourself to be beyond the need to respect the guidelines the rest of the community follows; and (b) you couldn't give a damn about contributing to good, solid archives. There's certainly no way we can force you to follow the rules, so I'm done discussing it. It's just a shame that it's not going to work out in a manner that doesn't speak volumes about your negative attitude toward others. Best of luck in everything you do. -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Wed, Jul 8, 2009 at 3:06 PM, Tony Marstont...@marston-home.demon.co.uk wrote: [snip] I don't like this rule, so I choose to disobey it. Now that's some scary ideology. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
just an observation here, but are we not getting close to breaking another rule? Do not high-jack threads, by bringing up entirely new topics. Please create an entirely new thread copying anything you wish to quote into the new thread. I know some feel this is important but if i was searching for some help with a simple login form and cookies, this thread would be useless. peace, -Shane On Wed, Jul 8, 2009 at 12:23 PM, Bob McConnell r...@cbord.com wrote: From: Tony Marston I do not follows rules which cannot be justified beyond the expression It is there, so obey it! Why is it there? What are the alternatives? What harm does it do? What happens if the rule is disobeyed? Top posting existed in the early days of the internet, and for a logical reason. Then some arrogant prat came along and said I don't like this, so I am going to make a rule which forbids it!. I don't like this rule, so I choose to disobey it. Daniel already explained to you why it is there. Long threads get too confusing with top posting. When posted correctly they read chronologically from top to bottom so they can be followed and understood when referenced a year or two later. Top posting did not exist in the early days of the Internet. I was active on email listserves and Usenet newsgroups 18 years ago, long before Microsoft discovered them and decided that top posting should be the norm. All of the other news and email clients I have ever used defaulted to bottom posting. It was only in Outlook 2003 that Microsoft finally removed that option completely. Previous versions allowed bottom posting and even handled the attribution markup correctly. Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Simple login form with cookies
From: Tony Marston I do not follows rules which cannot be justified beyond the expression It is there, so obey it! Why is it there? What are the alternatives? What harm does it do? What happens if the rule is disobeyed? Top posting existed in the early days of the internet, and for a logical reason. Then some arrogant prat came along and said I don't like this, so I am going to make a rule which forbids it!. I don't like this rule, so I choose to disobey it. Daniel already explained to you why it is there. Long threads get too confusing with top posting. When posted correctly they read chronologically from top to bottom so they can be followed and understood when referenced a year or two later. Top posting did not exist in the early days of the Internet. I was active on email listserves and Usenet newsgroups 18 years ago, long before Microsoft discovered them and decided that top posting should be the norm. All of the other news and email clients I have ever used defaulted to bottom posting. It was only in Outlook 2003 that Microsoft finally removed that option completely. Previous versions allowed bottom posting and even handled the attribution markup correctly. Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Wed, Jul 08, 2009 at 03:23:49PM -0400, Bob McConnell wrote: From: Tony Marston I do not follows rules which cannot be justified beyond the expression It is there, so obey it! Why is it there? What are the alternatives? What harm does it do? What happens if the rule is disobeyed? Top posting existed in the early days of the internet, and for a logical reason. Then some arrogant prat came along and said I don't like this, so I am going to make a rule which forbids it!. I don't like this rule, so I choose to disobey it. Daniel already explained to you why it is there. Long threads get too confusing with top posting. When posted correctly they read chronologically from top to bottom so they can be followed and understood when referenced a year or two later. Top posting did not exist in the early days of the Internet. I was active on email listserves and Usenet newsgroups 18 years ago, long before Microsoft discovered them and decided that top posting should be the norm. All of the other news and email clients I have ever used defaulted to bottom posting. It was only in Outlook 2003 that Microsoft finally removed that option completely. Previous versions allowed bottom posting and even handled the attribution markup correctly. Also, Tony's mail reader is broken-- Microsoft Outlook Express 6. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
Andrew Ballard wrote:
On Wed, Jul 8, 2009 at 11:53 AM, PJaf.gour...@videotron.ca wrote:
Michael A. Peters wrote:
Daniel Brown wrote:
First, a reminder to several (including some in this thread) that
top-posting is against the law here.
On Wed, Jul 8, 2009 at 09:48, Martin Scottamartinsco...@gmail.com
wrote:
$sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\'
and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password
.'\'))';
Second, another, more important reminder:
?php
$username = ' OR 1 OR ';
?
Since the first rows in a database are usually the default
administrator logins, the first to match what is basically a 'match if
this is a row' statement will be logged in. The moral of the story:
don't forget to clean your input (which I'm sure ya'all were doing
but with top-posters, you never know ;-P).
prepared statements really do a pretty good job at neutering sql
injection. But one shouldn't be lazy with input validation anyway.
I have a couple of questions/comments re all this:
1. Doing the login and processing through https should add a bit more
security, it seems to me.
It does add security between your user's web browser and the web
server. It's up to you to keep it secure once you receive it.
2. Cleaning is another bloody headache, for me anyway. I have found that
almost every time I try to do some cleaning with trim and
mysql_real_escape_string and stripslashes wipes out my usernames and
passwords. I havent' been able to use them when doing the crypt and
encrypt stuff with salt. Without cleaning it works fine... so, I'm a bit
lost on this.
Specifically, this wipes out my login and password... (I know, this is
old code, but it is supposed to work, no? )
//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
//Sanitize the POST values
$login = clean($_POST['login']);
$password = clean($_POST['password']);
When I echoes the cleaned $login and $password, they looked like they
had just gone through an acid bath before being hit by katerina
(hurricane)... ;-) rather whitewashed and empty. There was nothing left
to work with.
One thing to check - I'm pretty sure that mysql_real_escape_string
will only work if you have an open connection to mysql,
It's always open... I think.. do you mean within the active script (the
one I'm working on) ? Yes. yes, it's open.
the user_name was just plain alphabet soup... no special characters...
the password, though, had some uppercase weirdos... like @$$
(backslashing doesn't seem to help)... oh, well :-\
because it
uses that connection to figure out what character encoding
Ohmygod not character encoding... it's such a mess for me. I try to
only use utf8 but theres so much confusion with that that I have stopped
thinking about it until a problem occurs... like in Firefox ... iget
emails with the Western encoding and the utf8 so I often have to
switch... and the prinouts don't follow either... lots of little black
diamonds... a reat pita.
is being
used so it can escape the string accordingly. (If unable to connect,
it should raise an E_WARNING.)
I'm not sure why you would need to use @ with trim(), but that shouldn't
matter.
Frankly, I don't know either. I borrowed the code somewhere; but I
usually just 86 those @ts so I can see errors.
Otherwise, nothing in there should mangle the input.
mangle does as mangle can mangle... :-D
Andrew
--
Hervé Kempf: Pour sauver la planète, sortez du capitalisme.
-
Phil Jourdan --- p...@ptahhotep.com
http://www.ptahhotep.com
http://www.chiccantine.com/andypantry.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
Tony Marston wrote: I do not follows rules which cannot be justified beyond the expression It is there, so obey it! Why is it there? What are the alternatives? What harm does it do? What happens if the rule is disobeyed? Damn, isn't life frustrating... in case no one has noticed, 99 % of the rules we have in society are made by idiots and power hungry dimwits... how often do you see a politician or leader who is an intelligent person, let alone an intellectual ? Hate to say it, but top posting is about as rrelevant to our exixtence as a bacterial fart. :-D Top posting existed in the early days of the internet, and for a logical reason. Then some arrogant prat came along and said I don't like this, so I am going to make a rule which forbids it!. I don't like this rule, so I choose to disobey it. -- Hervé Kempf: Pour sauver la planète, sortez du capitalisme. - Phil Jourdan --- p...@ptahhotep.com http://www.ptahhotep.com http://www.chiccantine.com/andypantry.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
Paul M Foster wrote: On Wed, Jul 08, 2009 at 03:23:49PM -0400, Bob McConnell wrote: From: Tony Marston I do not follows rules which cannot be justified beyond the expression It is there, so obey it! Why is it there? What are the alternatives? What harm does it do? What happens if the rule is disobeyed? Top posting existed in the early days of the internet, and for a logical reason. Then some arrogant prat came along and said I don't like this, so I am going to make a rule which forbids it!. I don't like this rule, so I choose to disobey it. Daniel already explained to you why it is there. Long threads get too confusing with top posting. When posted correctly they read chronologically from top to bottom so they can be followed and understood when referenced a year or two later. Top posting did not exist in the early days of the Internet. I was active on email listserves and Usenet newsgroups 18 years ago, long before Microsoft discovered them and decided that top posting should be the norm. All of the other news and email clients I have ever used defaulted to bottom posting. It was only in Outlook 2003 that Microsoft finally removed that option completely. Previous versions allowed bottom posting and even handled the attribution markup correctly. Also, Tony's mail reader is broken-- Microsoft Outlook Express 6. Paul Actually, I prefer middle posting ;-) -- Hervé Kempf: Pour sauver la planète, sortez du capitalisme. - Phil Jourdan --- p...@ptahhotep.com http://www.ptahhotep.com http://www.chiccantine.com/andypantry.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Wed, Jul 8, 2009 at 4:45 PM, PJaf.gour...@videotron.ca wrote:
Andrew Ballard wrote:
On Wed, Jul 8, 2009 at 11:53 AM, PJaf.gour...@videotron.ca wrote:
I have a couple of questions/comments re all this:
[snip]
2. Cleaning is another bloody headache, for me anyway. I have found that
almost every time I try to do some cleaning with trim and
mysql_real_escape_string and stripslashes wipes out my usernames and
passwords. I havent' been able to use them when doing the crypt and
encrypt stuff with salt. Without cleaning it works fine... so, I'm a bit
lost on this.
Specifically, this wipes out my login and password... (I know, this is
old code, but it is supposed to work, no? )
//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
//Sanitize the POST values
$login = clean($_POST['login']);
$password = clean($_POST['password']);
When I echoes the cleaned $login and $password, they looked like they
had just gone through an acid bath before being hit by katerina
(hurricane)... ;-) rather whitewashed and empty. There was nothing left
to work with.
One thing to check - I'm pretty sure that mysql_real_escape_string
will only work if you have an open connection to mysql,
It's always open... I think.. do you mean within the active script (the
one I'm working on) ? Yes. yes, it's open.
As long as you have called mysql_connect() prior to using
mysql_real_escape_string() and the result of the former was a valid
connection resource, then the latter should work. Otherwise
mysql_real_escape_string() will try to connect with the default
credentials stored in php.ini, and failing that will generate an
E_WARNING that it was unable to connect.
Also, if there is no active connection, mysql_real_escape_string()
returns the boolean value false.
the user_name was just plain alphabet soup... no special characters...
the password, though, had some uppercase weirdos... like @$$
(backslashing doesn't seem to help)... oh, well :-\
You shouldn't need to escape those specific characters in a MySQL
query, so running them through addslashes(), mysql_escape_string(), or
mysql_real_escape_string() would not escape them, and manually
escaping them would not produce desired results.
because it
uses that connection to figure out what character encoding
Ohmygod not character encoding... it's such a mess for me. I try to
only use utf8 but theres so much confusion with that that I have stopped
thinking about it until a problem occurs... like in Firefox ... iget
emails with the Western encoding and the utf8 so I often have to
switch... and the prinouts don't follow either... lots of little black
diamonds... a reat pita.
Here is a blog post that explains why it is important for
mysql_real_escape_string() to consider character sets.
is being
used so it can escape the string accordingly. (If unable to connect,
it should raise an E_WARNING.)
I'm not sure why you would need to use @ with trim(), but that shouldn't
matter.
Frankly, I don't know either. I borrowed the code somewhere; but I
usually just 86 those @ts so I can see errors.
Otherwise, nothing in there should mangle the input.
mangle does as mangle can mangle... :-D
The function looks pretty straightforward. I'm curious what input you
are passing and how it's being mangled by the function.
Andrew
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
Try again, and include the actual link this time, dummy. :-)
On Wed, Jul 8, 2009 at 5:30 PM, Andrew Ballardaball...@gmail.com wrote:
On Wed, Jul 8, 2009 at 4:45 PM, PJaf.gour...@videotron.ca wrote:
Andrew Ballard wrote:
On Wed, Jul 8, 2009 at 11:53 AM, PJaf.gour...@videotron.ca wrote:
I have a couple of questions/comments re all this:
[snip]
2. Cleaning is another bloody headache, for me anyway. I have found that
almost every time I try to do some cleaning with trim and
mysql_real_escape_string and stripslashes wipes out my usernames and
passwords. I havent' been able to use them when doing the crypt and
encrypt stuff with salt. Without cleaning it works fine... so, I'm a bit
lost on this.
Specifically, this wipes out my login and password... (I know, this is
old code, but it is supposed to work, no? )
//Function to sanitize values received from the form. Prevents SQL
injection
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
//Sanitize the POST values
$login = clean($_POST['login']);
$password = clean($_POST['password']);
When I echoes the cleaned $login and $password, they looked like they
had just gone through an acid bath before being hit by katerina
(hurricane)... ;-) rather whitewashed and empty. There was nothing left
to work with.
One thing to check - I'm pretty sure that mysql_real_escape_string
will only work if you have an open connection to mysql,
It's always open... I think.. do you mean within the active script (the
one I'm working on) ? Yes. yes, it's open.
As long as you have called mysql_connect() prior to using
mysql_real_escape_string() and the result of the former was a valid
connection resource, then the latter should work. Otherwise
mysql_real_escape_string() will try to connect with the default
credentials stored in php.ini, and failing that will generate an
E_WARNING that it was unable to connect.
Also, if there is no active connection, mysql_real_escape_string()
returns the boolean value false.
the user_name was just plain alphabet soup... no special characters...
the password, though, had some uppercase weirdos... like @$$
(backslashing doesn't seem to help)... oh, well :-\
You shouldn't need to escape those specific characters in a MySQL
query, so running them through addslashes(), mysql_escape_string(), or
mysql_real_escape_string() would not escape them, and manually
escaping them would not produce desired results.
because it
uses that connection to figure out what character encoding
Ohmygod not character encoding... it's such a mess for me. I try to
only use utf8 but theres so much confusion with that that I have stopped
thinking about it until a problem occurs... like in Firefox ... iget
emails with the Western encoding and the utf8 so I often have to
switch... and the prinouts don't follow either... lots of little black
diamonds... a reat pita.
Here is a blog post that explains why it is important for
mysql_real_escape_string() to consider character sets.
http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
is being
used so it can escape the string accordingly. (If unable to connect,
it should raise an E_WARNING.)
I'm not sure why you would need to use @ with trim(), but that shouldn't
matter.
Frankly, I don't know either. I borrowed the code somewhere; but I
usually just 86 those @ts so I can see errors.
Otherwise, nothing in there should mangle the input.
mangle does as mangle can mangle... :-D
The function looks pretty straightforward. I'm curious what input you
are passing and how it's being mangled by the function.
Andrew
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re: [PHP] Simple login form with cookies
The basic model for password authentication is to use one way crypt
routines. MySql has several, PHP also has them. The basic algorithm
would be like this:
1) read the password from the form.
2) read the password from you datastore that matches the user name or
session
3) encrypt the password on the form.
4) do a string comparison between the database data and the encrypted
password from the form.
This is of course assumes that you have been encrypting your password
when you store them (always good practice) so I think this translates to
php as (forgive me if this is bogus, it's been a while since I've done
any php)
?
$salt = 'someglobalsaltstring'; # the salt should be the same salt used
when storing passwords to your database otherwise it won't work
$passwd = crypt($_GET['passwd'], $salt);
if ($passwd == $userObject-getPassword) { return 1} else {return 0}
?
So I've not tested this obviously but you would have to have a
$userObject which is your interface between your software and your user
data.
Hope it helps,
Carl.
I am encrypting the stored password with SHA1.
I am new to programming and PHP so I am unsure what to do with this line
$userObject-getPassword
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
PJ wrote: Jason Carson wrote: On Mon, Jul 6, 2009 at 02:19, Jason Carsonja...@jasoncarson.ca wrote: ok, I have two sets of scripts here. One uses setcookie() for logging into the admin panel and the other uses session_start(). Both are working fine, is one more secure than the other? $_COOKIE data is written to a file that is readable/writeable and stored on the user's side of things. $_SESSION data is written to the server, with a cookie stored on the user's side containing just the PHPSESSID (session ID) string to identify the session file on the server. So determining which is better and/or more secure is really a matter of the data held there and how it's handled. If storing things like usernames or you absolutely want to store personal data in an active session, do so in $_SESSION. If you're storing a password or credit card number in the active session, you may as well do it in $_COOKIE, because you're already using an insecure model. ;-P -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Well I'm a newbie when it comes to PHP and programming. I guess I need to read up on login security. Do you know of, or recommend, any websites that will show me how to secure my login model (Using cookies or sessions). Hi Jason, I'm probably not any wiser than you, but I have just (today) discovered an interesting site that seems to have some really clear explanations and tutorials re php, MySsql et al. It's worth looking at (I'm trying to implement something like what you are, as well): http://www.brainbell.com/tutors/php/php_mysql/Authorizing_User_Access.html HTH, PJ I just found another site which is easier to deal with (chapter references) and seems to be the original source of the brainbell site: http://home.bolink.org/ebooks/webP/webdb/index.htm -- Hervé Kempf: Pour sauver la planète, sortez du capitalisme. - Phil Jourdan --- p...@ptahhotep.com http://www.ptahhotep.com http://www.chiccantine.com/andypantry.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re: [PHP] Simple login form with cookies
The basic model for password authentication is to use one way crypt
routines. MySql has several, PHP also has them. The basic algorithm
would be like this:
1) read the password from the form.
2) read the password from you datastore that matches the user name or
session
3) encrypt the password on the form.
4) do a string comparison between the database data and the encrypted
password from the form.
This is of course assumes that you have been encrypting your password
when you store them (always good practice) so I think this translates to
php as (forgive me if this is bogus, it's been a while since I've done
any php)
?
$salt = 'someglobalsaltstring'; # the salt should be the same salt used
when storing passwords to your database otherwise it won't work
$passwd = crypt($_GET['passwd'], $salt);
if ($passwd == $userObject-getPassword) { return 1} else {return 0}
?
So I've not tested this obviously but you would have to have a
$userObject which is your interface between your software and your user
data.
Hope it helps,
Carl.
PJ wrote:
PJ wrote:
Jason Carson wrote:
On Mon, Jul 6, 2009 at 02:19, Jason Carsonja...@jasoncarson.ca wrote:
ok, I have two sets of scripts here. One uses setcookie() for logging
into
the admin panel and the other uses session_start(). Both are working
fine,
is one more secure than the other?
$_COOKIE data is written to a file that is readable/writeable and
stored on the user's side of things. $_SESSION data is written to the
server, with a cookie stored on the user's side containing just the
PHPSESSID (session ID) string to identify the session file on the
server.
So determining which is better and/or more secure is really a
matter of the data held there and how it's handled. If storing things
like usernames or you absolutely want to store personal data in an
active session, do so in $_SESSION. If you're storing a password or
credit card number in the active session, you may as well do it in
$_COOKIE, because you're already using an insecure model. ;-P
--
/Daniel P. Brown
daniel.br...@parasane.net || danbr...@php.net
http://www.parasane.net/ || http://www.pilotpig.net/
Check out our great hosting and dedicated server deals at
http://twitter.com/pilotpig
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Well I'm a newbie when it comes to PHP and programming. I guess I need to
read up on login security. Do you know of, or recommend, any websites that
will show me how to secure my login model (Using cookies or sessions).
Hi Jason,
I'm probably not any wiser than you, but I have just (today) discovered
an interesting site that seems to have some really clear explanations
and tutorials re php, MySsql et al.
It's worth looking at (I'm trying to implement something like what you
are, as well):
http://www.brainbell.com/tutors/php/php_mysql/Authorizing_User_Access.html
HTH,
PJ
I just found another site which is easier to deal with (chapter
references) and seems to be the original source of the brainbell site:
http://home.bolink.org/ebooks/webP/webdb/index.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
Carl Furst wrote: The basic model for password authentication is to use one way crypt routines. MySql has several, PHP also has them. The basic algorithm would be like this: 1) read the password from the form. 2) read the password from you datastore that matches the user name or session 3) encrypt the password on the form. 4) do a string comparison between the database data and the encrypted password from the form. Read the password on the form. Encrypt the password on the form using same salt and algorythm you use to generate the hash. Then - $sql = SELECT id FROM userdb WHERE user='$user' AND pass='$pass'; If your query returns a result, you now have a user id to store in the session. Otherwise, the login fails. No need to read from the database and do a string compare. Of course you need to watch out for injection when doing it that way, but that's what prepared statements are for. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
These are great ideas. Another option would be to have the user choose a pin number and use either the literal pin or the encrypted pin as part of the salt. This way only when you change the pin do you need to change the password, which is probably what you would want anyway. Michael A. Peters wrote: Carl Furst wrote: ? $salt = 'someglobalsaltstring'; # the salt should be the same salt used when storing passwords to your database otherwise it won't work $passwd = crypt($_GET['passwd'], $salt); I personally use the username and the salt. That way two users with identical passwords have different hashes. With large databases, many users will have the same password, there are some that are just commonly used. The hackers know what they are, and if they get your hash dump, they try their list of commonly used passwords against the user names that have the common hashes. By using the username as part of the salt, you avoid that issue because identical passwords will have different hashes. It does mean the password has to be reset if you allow them to change their login name. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
Carl Furst wrote: ? $salt = 'someglobalsaltstring'; # the salt should be the same salt used when storing passwords to your database otherwise it won't work $passwd = crypt($_GET['passwd'], $salt); I personally use the username and the salt. That way two users with identical passwords have different hashes. With large databases, many users will have the same password, there are some that are just commonly used. The hackers know what they are, and if they get your hash dump, they try their list of commonly used passwords against the user names that have the common hashes. By using the username as part of the salt, you avoid that issue because identical passwords will have different hashes. It does mean the password has to be reset if you allow them to change their login name. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Mon, Jul 6, 2009 at 1:45 AM, Jason Carsonja...@jasoncarson.ca wrote:
Hello everyone,
I am trying to create a PHP login script using cookies but am having
some
troubles. Here is my setup
  index.php - authenticate.php - admin.php
I want a login form on index.php that allows me to login with my
username
and password and then passes $_POST['username'] and $_POST['password']
to
authenticate.php
Then authenticate.php authenticates against a database of allowed users
(Which I already have setup and it works fine), if a valid user has
entered the correct information then admin.php is loaded...
header(location:admin.php);
...the admin.php code would look something like the following..
Code: [Select]
?php
if (isset($_COOKIE['username'])) {
echo success!;
} else {
echo Failure;
}
?
So basically I think I need to create a cookie from index.php OR
authenticate.php and then pass the information to admin.php.
I set the cookie like this...
setcookie(Admin, $username);
Which file(index.php OR authenticate.php) do I create the cookie and
how
do I access the information in the cookie on admin.php?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
I finally got it working. I needed to setcookie() in login.php. Also,
the
names of the cookies(Using setcookie()) where wrong (The names where
Admin when they should have been adminuser and adminpass) Once I
fixed that then the following worked in admin.php...
?php
if (isset($_COOKIE['adminuser']) isset($_COOKIE['adminpass'])) {
echo Success;
} else {
echo Failed;
}
?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
You're not storing anything usable in the adminpass cookie, are you?
It sort of sounds like you're storing a password, or even a passhash,
in the cookie and you might want to rethink what that cookie contains
to prevent session hijacking.
Yeah, I am storing an unencrypted password in the cookie. Should I encrypt
it, if so how, if not what should I do?
I am new to programming and PHP web development so I am not aware of all
the security problems that can occur.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Mon, Jul 6, 2009 at 2:01 AM, Jason Carsonja...@jasoncarson.ca wrote:
On Mon, Jul 6, 2009 at 1:45 AM, Jason Carsonja...@jasoncarson.ca wrote:
Hello everyone,
I am trying to create a PHP login script using cookies but am having
some
troubles. Here is my setup
index.php - authenticate.php - admin.php
I want a login form on index.php that allows me to login with my
username
and password and then passes $_POST['username'] and $_POST['password']
to
authenticate.php
Then authenticate.php authenticates against a database of allowed users
(Which I already have setup and it works fine), if a valid user has
entered the correct information then admin.php is loaded...
header(location:admin.php);
...the admin.php code would look something like the following..
Code: [Select]
?php
if (isset($_COOKIE['username'])) {
echo success!;
} else {
echo Failure;
}
?
So basically I think I need to create a cookie from index.php OR
authenticate.php and then pass the information to admin.php.
I set the cookie like this...
setcookie(Admin, $username);
Which file(index.php OR authenticate.php) do I create the cookie and
how
do I access the information in the cookie on admin.php?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
I finally got it working. I needed to setcookie() in login.php. Also,
the
names of the cookies(Using setcookie()) where wrong (The names where
Admin when they should have been adminuser and adminpass) Once I
fixed that then the following worked in admin.php...
?php
if (isset($_COOKIE['adminuser']) isset($_COOKIE['adminpass'])) {
echo Success;
} else {
echo Failed;
}
?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
You're not storing anything usable in the adminpass cookie, are you?
It sort of sounds like you're storing a password, or even a passhash,
in the cookie and you might want to rethink what that cookie contains
to prevent session hijacking.
Yeah, I am storing an unencrypted password in the cookie. Should I encrypt
it, if so how, if not what should I do?
I am new to programming and PHP web development so I am not aware of all
the security problems that can occur.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
That's an enormous question without an easy, or even a correct answer.
I'd start by googling around for session hijacking. One of the
things that's probably not PC to say, is don't learn to prevent
session hijacking, learn to hijack sessions. Once you know how to
hijack a session, you can audit your own code and fix the security
holes.
Although the best advice would probably be to find someone else's
session implementation and use that, seeing as there's no real reason
to recreate such a worn-in wheel.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Mon, Jul 6, 2009 at 2:01 AM, Jason Carsonja...@jasoncarson.ca wrote:
On Mon, Jul 6, 2009 at 1:45 AM, Jason Carsonja...@jasoncarson.ca
wrote:
Hello everyone,
I am trying to create a PHP login script using cookies but am having
some
troubles. Here is my setup
  index.php - authenticate.php - admin.php
I want a login form on index.php that allows me to login with my
username
and password and then passes $_POST['username'] and
$_POST['password']
to
authenticate.php
Then authenticate.php authenticates against a database of allowed
users
(Which I already have setup and it works fine), if a valid user has
entered the correct information then admin.php is loaded...
header(location:admin.php);
...the admin.php code would look something like the following..
Code: [Select]
?php
if (isset($_COOKIE['username'])) {
echo success!;
} else {
echo Failure;
}
?
So basically I think I need to create a cookie from index.php OR
authenticate.php and then pass the information to admin.php.
I set the cookie like this...
setcookie(Admin, $username);
Which file(index.php OR authenticate.php) do I create the cookie and
how
do I access the information in the cookie on admin.php?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
I finally got it working. I needed to setcookie() in login.php. Also,
the
names of the cookies(Using setcookie()) where wrong (The names where
Admin when they should have been adminuser and adminpass) Once I
fixed that then the following worked in admin.php...
?php
if (isset($_COOKIE['adminuser']) isset($_COOKIE['adminpass'])) {
echo Success;
} else {
echo Failed;
}
?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
You're not storing anything usable in the adminpass cookie, are you?
It sort of sounds like you're storing a password, or even a passhash,
in the cookie and you might want to rethink what that cookie contains
to prevent session hijacking.
Yeah, I am storing an unencrypted password in the cookie. Should I
encrypt
it, if so how, if not what should I do?
I am new to programming and PHP web development so I am not aware of all
the security problems that can occur.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
That's an enormous question without an easy, or even a correct answer.
I'd start by googling around for session hijacking. One of the
things that's probably not PC to say, is don't learn to prevent
session hijacking, learn to hijack sessions. Once you know how to
hijack a session, you can audit your own code and fix the security
holes.
Although the best advice would probably be to find someone else's
session implementation and use that, seeing as there's no real reason
to recreate such a worn-in wheel.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
ok, I have two sets of scripts here. One uses setcookie() for logging into
the admin panel and the other uses session_start(). Both are working fine,
is one more secure than the other?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Mon, Jul 6, 2009 at 02:19, Jason Carsonja...@jasoncarson.ca wrote: ok, I have two sets of scripts here. One uses setcookie() for logging into the admin panel and the other uses session_start(). Both are working fine, is one more secure than the other? $_COOKIE data is written to a file that is readable/writeable and stored on the user's side of things. $_SESSION data is written to the server, with a cookie stored on the user's side containing just the PHPSESSID (session ID) string to identify the session file on the server. So determining which is better and/or more secure is really a matter of the data held there and how it's handled. If storing things like usernames or you absolutely want to store personal data in an active session, do so in $_SESSION. If you're storing a password or credit card number in the active session, you may as well do it in $_COOKIE, because you're already using an insecure model. ;-P -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Mon, Jul 6, 2009 at 02:19, Jason Carsonja...@jasoncarson.ca wrote: ok, I have two sets of scripts here. One uses setcookie() for logging into the admin panel and the other uses session_start(). Both are working fine, is one more secure than the other? $_COOKIE data is written to a file that is readable/writeable and stored on the user's side of things. $_SESSION data is written to the server, with a cookie stored on the user's side containing just the PHPSESSID (session ID) string to identify the session file on the server. So determining which is better and/or more secure is really a matter of the data held there and how it's handled. If storing things like usernames or you absolutely want to store personal data in an active session, do so in $_SESSION. If you're storing a password or credit card number in the active session, you may as well do it in $_COOKIE, because you're already using an insecure model. ;-P -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Well I'm a newbie when it comes to PHP and programming. I guess I need to read up on login security. Do you know of, or recommend, any websites that will show me how to secure my login model (Using cookies or sessions). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
Jason Carson wrote: On Mon, Jul 6, 2009 at 02:19, Jason Carsonja...@jasoncarson.ca wrote: ok, I have two sets of scripts here. One uses setcookie() for logging into the admin panel and the other uses session_start(). Both are working fine, is one more secure than the other? $_COOKIE data is written to a file that is readable/writeable and stored on the user's side of things. $_SESSION data is written to the server, with a cookie stored on the user's side containing just the PHPSESSID (session ID) string to identify the session file on the server. So determining which is better and/or more secure is really a matter of the data held there and how it's handled. If storing things like usernames or you absolutely want to store personal data in an active session, do so in $_SESSION. If you're storing a password or credit card number in the active session, you may as well do it in $_COOKIE, because you're already using an insecure model. ;-P -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Well I'm a newbie when it comes to PHP and programming. I guess I need to read up on login security. Do you know of, or recommend, any websites that will show me how to secure my login model (Using cookies or sessions). Hi Jason, I'm probably not any wiser than you, but I have just (today) discovered an interesting site that seems to have some really clear explanations and tutorials re php, MySsql et al. It's worth looking at (I'm trying to implement something like what you are, as well): http://www.brainbell.com/tutors/php/php_mysql/Authorizing_User_Access.html HTH, PJ -- Hervé Kempf: Pour sauver la planète, sortez du capitalisme. - Phil Jourdan --- p...@ptahhotep.com http://www.ptahhotep.com http://www.chiccantine.com/andypantry.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
Jason Carson wrote: On Mon, Jul 6, 2009 at 02:19, Jason Carsonja...@jasoncarson.ca wrote: ok, I have two sets of scripts here. One uses setcookie() for logging into the admin panel and the other uses session_start(). Both are working fine, is one more secure than the other? $_COOKIE data is written to a file that is readable/writeable and stored on the user's side of things. $_SESSION data is written to the server, with a cookie stored on the user's side containing just the PHPSESSID (session ID) string to identify the session file on the server. So determining which is better and/or more secure is really a matter of the data held there and how it's handled. If storing things like usernames or you absolutely want to store personal data in an active session, do so in $_SESSION. If you're storing a password or credit card number in the active session, you may as well do it in $_COOKIE, because you're already using an insecure model. ;-P -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Well I'm a newbie when it comes to PHP and programming. I guess I need to read up on login security. Do you know of, or recommend, any websites that will show me how to secure my login model (Using cookies or sessions). Hi Jason, I'm probably not any wiser than you, but I have just (today) discovered an interesting site that seems to have some really clear explanations and tutorials re php, MySsql et al. It's worth looking at (I'm trying to implement something like what you are, as well): http://www.brainbell.com/tutors/php/php_mysql/Authorizing_User_Access.html HTH, PJ -- Hervé Kempf: Pour sauver la planète, sortez du capitalisme. - Phil Jourdan --- p...@ptahhotep.com http://www.ptahhotep.com http://www.chiccantine.com/andypantry.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php I'll check it out this evening when I have some time. Thanks for the link. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Mon, Jul 06, 2009 at 12:03:34AM -0400, Jason Carson wrote:
Hello everyone,
I am trying to create a PHP login script using cookies but am having some
troubles. Here is my setup
index.php - authenticate.php - admin.php
I want a login form on index.php that allows me to login with my username
and password and then passes $_POST['username'] and $_POST['password'] to
authenticate.php
Then authenticate.php authenticates against a database of allowed users
(Which I already have setup and it works fine), if a valid user has
entered the correct information then admin.php is loaded...
header(location:admin.php);
...the admin.php code would look something like the following..
Code: [Select]
?php
if (isset($_COOKIE['username'])) {
echo success!;
} else {
echo Failure;
}
?
So basically I think I need to create a cookie from index.php OR
authenticate.php and then pass the information to admin.php.
I set the cookie like this...
setcookie(Admin, $username);
Which file(index.php OR authenticate.php) do I create the cookie and how
do I access the information in the cookie on admin.php?
Just think about it. I assume you're not going to allow someone to run
admin.php unless they're authenticated. And you plan to determine
whether they're authenticated by checking a cookie. So you can only set
that cookie *after* you've authenticated them. Which means you'll need
to set the cookie after you've processed the results from
authenticate.php. My practice is generally to make forms re-entrant.
That is, the data returned from authenticate.php would be processed by
authenticate.php. You'd need to put a branch in authenticate.php to
determine if this is a fresh invocation of the file, or if the user is
returning data to you. The second time through, you check the returned
values against your database and set your cookie.
Checking the value in the cookie is as you detail it above:
$_COOKIE['blahblah'].
Paul
--
Paul M. Foster
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
Hello everyone,
I am trying to create a PHP login script using cookies but am having some
troubles. Here is my setup
index.php - authenticate.php - admin.php
I want a login form on index.php that allows me to login with my username
and password and then passes $_POST['username'] and $_POST['password'] to
authenticate.php
Then authenticate.php authenticates against a database of allowed users
(Which I already have setup and it works fine), if a valid user has
entered the correct information then admin.php is loaded...
header(location:admin.php);
...the admin.php code would look something like the following..
Code: [Select]
?php
if (isset($_COOKIE['username'])) {
echo success!;
} else {
echo Failure;
}
?
So basically I think I need to create a cookie from index.php OR
authenticate.php and then pass the information to admin.php.
I set the cookie like this...
setcookie(Admin, $username);
Which file(index.php OR authenticate.php) do I create the cookie and how
do I access the information in the cookie on admin.php?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
I finally got it working. I needed to setcookie() in login.php. Also, the
names of the cookies(Using setcookie()) where wrong (The names where
Admin when they should have been adminuser and adminpass) Once I
fixed that then the following worked in admin.php...
?php
if (isset($_COOKIE['adminuser']) isset($_COOKIE['adminpass'])) {
echo Success;
} else {
echo Failed;
}
?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
Hello everyone,
I am trying to create a PHP login script using cookies but am having
some
troubles. Here is my setup
index.php - authenticate.php - admin.php
I want a login form on index.php that allows me to login with my
username
and password and then passes $_POST['username'] and $_POST['password']
to
authenticate.php
Then authenticate.php authenticates against a database of allowed users
(Which I already have setup and it works fine), if a valid user has
entered the correct information then admin.php is loaded...
header(location:admin.php);
...the admin.php code would look something like the following..
Code: [Select]
?php
if (isset($_COOKIE['username'])) {
echo success!;
} else {
echo Failure;
}
?
So basically I think I need to create a cookie from index.php OR
authenticate.php and then pass the information to admin.php.
I set the cookie like this...
setcookie(Admin, $username);
Which file(index.php OR authenticate.php) do I create the cookie and how
do I access the information in the cookie on admin.php?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
I finally got it working. I needed to setcookie() in login.php. Also, the
oops, I typed login.php when I meant authenticate.php
names of the cookies(Using setcookie()) where wrong (The names where
Admin when they should have been adminuser and adminpass) Once I
fixed that then the following worked in admin.php...
?php
if (isset($_COOKIE['adminuser']) isset($_COOKIE['adminpass'])) {
echo Success;
} else {
echo Failed;
}
?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Mon, Jul 6, 2009 at 1:45 AM, Jason Carsonja...@jasoncarson.ca wrote:
Hello everyone,
I am trying to create a PHP login script using cookies but am having some
troubles. Here is my setup
index.php - authenticate.php - admin.php
I want a login form on index.php that allows me to login with my username
and password and then passes $_POST['username'] and $_POST['password'] to
authenticate.php
Then authenticate.php authenticates against a database of allowed users
(Which I already have setup and it works fine), if a valid user has
entered the correct information then admin.php is loaded...
header(location:admin.php);
...the admin.php code would look something like the following..
Code: [Select]
?php
if (isset($_COOKIE['username'])) {
echo success!;
} else {
echo Failure;
}
?
So basically I think I need to create a cookie from index.php OR
authenticate.php and then pass the information to admin.php.
I set the cookie like this...
setcookie(Admin, $username);
Which file(index.php OR authenticate.php) do I create the cookie and how
do I access the information in the cookie on admin.php?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
I finally got it working. I needed to setcookie() in login.php. Also, the
names of the cookies(Using setcookie()) where wrong (The names where
Admin when they should have been adminuser and adminpass) Once I
fixed that then the following worked in admin.php...
?php
if (isset($_COOKIE['adminuser']) isset($_COOKIE['adminpass'])) {
echo Success;
} else {
echo Failed;
}
?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
You're not storing anything usable in the adminpass cookie, are you?
It sort of sounds like you're storing a password, or even a passhash,
in the cookie and you might want to rethink what that cookie contains
to prevent session hijacking.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
