TalkPHP

TalkPHP (http://www.talkphp.com/forums.php)
-   General (http://www.talkphp.com/general/)
-   -   Login Script (http://www.talkphp.com/general/1346-login-script.html)

Jmz 10-27-2007 12:03 PM
Login Script
 
Can anybody point me in the direction of a tutorial that shows you how to make a good, secure login script? All the ones I seem to find have people commenting that they are insecure for one reason or another so I would like to see how to do it properly :)

daz 10-27-2007 02:01 PM
I have a lot of experience with PHP/MySQL logins. I'll try to write a tutorial for you later.

Jmz 10-27-2007 03:13 PM
That would be great, thanks a lot :D

Wildhoney 10-27-2007 10:24 PM
I'd be tempted to construct my login SQL like so:

Code:
$szUsername = 'Wildhoney';
$szPassword = 'myHardToGuessPassword';

$szSQL = sprintf("        SELECT
                                @myPassword:= MD5('%s'),
                                IF(myUsername = '%s', myUsername, NULL) AS myUsername,
                                IF(myPassword = @myPassword, myPassword, NULL) AS myPassword
                        FROM
                                myTable
                        WHERE
                                myUsername = '%s'
                        AND
                                myPassword = @myPassword)",
                        $szPassword,
                        $szUsername,
                        $szUsername);
Therefore if anyone does happen to manage to inject SQL into your query, it'll simply result in a MySQL error, and they won't actually get anywhere.

Karl 10-28-2007 01:24 PM
Surely that way is less secure than the usual SQL statement as you'll be transmitting the password as clear text, whereas usually you'd md5 it in PHP and send it encrypted.

You're also repeating $szUsername in your sprintf arguments, tut tut :P

Seriously though, I don't understand how that method is more secure than the standard approach (assuming you filter and escape data correctly, of course)? Just seems like more work for the same outcome.

Jmz 10-28-2007 02:18 PM
lol see what I mean :p

I just want a nice tutorial I can use that will show me how to do a secure login with no problems :D lol.

Jmz 10-29-2007 10:39 AM
Anybody lol? :D

Wildhoney 10-29-2007 12:09 PM
If you wanted to be really secure then you'd MD5 the password before you sent it to the server using Javascript. Apologies for confusing you JMZ, but I think Daz said he was writing you a little guide :) !

Karl 10-29-2007 01:06 PM
Hi Jmz, as a general rule, for a secure application you should always filter input and escape output (you'll hear that tip again and again). Basically, that means that if you're expecting a string from a form, ensure the data you get really is a string. If you're outputting data to a database, make sure you escape it first using mysql_escape_string(). Following these two rules will make your application a lot more secure.

So let's say that you are expecting szUsername and szPassword from $_POST, you could filter these using the built in filter functions:

PHP Code:
$aFilterOptions = array
(
    'szEmail'           => FILTER_SANITIZE_EMAIL,
    'szPassword'    => FILTER_SANITIZE_STRING
);

$aFiltered filter_input_array(INPUT_POST$aFilterOptions); 
Then you simply escape the values before using them in your query, such as:

PHP Code:
$szSql sprint("    SELECT 
                        * 
                    FROM 
                        members 
                    WHERE 
                        username = '%s' AND
                        password = '%s'",
                    mysql_escape_string($aFiltered['szUsername']),    
                    mysql_escape_string($aFiltered['szPassword'])) 

daz 10-31-2007 12:10 PM
Hi Jmz,

Unfortunately I couldn't write a tutorial but you can try this script:

http://www.talkphp.com/showthread.php?p=3536

Tanax 11-17-2007 01:09 PM
Quote:
Originally Posted by Karl (Post 3471)
Hi Jmz, as a general rule, for a secure application you should always filter input and escape output (you'll hear that tip again and again). Basically, that means that if you're expecting a string from a form, ensure the data you get really is a string. If you're outputting data to a database, make sure you escape it first using mysql_escape_string(). Following these two rules will make your application a lot more secure.

So let's say that you are expecting szUsername and szPassword from $_POST, you could filter these using the built in filter functions:

PHP Code:
$aFilterOptions = array
(
    'szEmail'           => FILTER_SANITIZE_EMAIL,
    'szPassword'    => FILTER_SANITIZE_STRING
);

$aFiltered filter_input_array(INPUT_POST$aFilterOptions); 
Then you simply escape the values before using them in your query, such as:

PHP Code:
$szSql sprint("    SELECT 
                        * 
                    FROM 
                        members 
                    WHERE 
                        username = '%s' AND
                        password = '%s'",
                    mysql_escape_string($aFiltered['szUsername']),    
                    mysql_escape_string($aFiltered['szPassword'])) 
You didn't use username in the $aFilterOptions.

But anyways, does the fieldname have to the same as the ones used in the array $aFilterOptions ??

So if you have
PHP Code:
$aFilterOptions = array(

'email' => blablabla whatever

); 
You have to have like this?
HTML Code:
<form action="ble.php" method="POST">
<input type="text" name="email">
</form>
??


All times are GMT. The time now is 12:41 AM.

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0