Solved

php login security

Posted on 2013-06-24
12
573 Views
Last Modified: 2013-06-24
Hi,

I have a login for mysql with php that I tweaked and it works.
Apart from password is readable (just testing it ) what else would I need to do for security?

<?php
 

ob_start();
$host="localhost"; // Host name
$username=""; // Mysql username
$password=""; // Mysql password
$db_name="db_jagguy"; // Database name
$tbl_name="tblogin"; // Table name

// Connect to server and select databse.
mysql_connect($host, 'root') or die("cannot connect");
mysql_select_db($db_name)or die("cannot select DB");

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM " . $tbl_name . " WHERE login='" . $myusername . "' and password='" . $mypassword . "'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){

// Register $myusername, $mypassword and redirect to file "login_success.php"
session_start();
$_SESSION['myusername']=$myusername;
$_SESSION['mypassword']=$mypassword ;

header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
 	

?>

//////////////////////
<?php
// Check if session is not registered, redirect back to main page.
// Put this code in first line of web page.

session_start();

if(!isset($_SESSION['myusername'])) {
header("location:login.html");
//echo "helloe";
}

?>

Open in new window

0
Comment
Question by:jagguy
  • 6
  • 3
  • 2
  • +1
12 Comments
 
LVL 15

Expert Comment

by:Jagadishwor Dulal
ID: 39271336
You are using mysql_real_escape_string and stripslashes yo prevent from sql injection see wikihow site for further works:
http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL
0
 
LVL 58

Expert Comment

by:Gary
ID: 39271362
Stop using mysql_query
http://php.net/manual/en/function.mysql-query.php

http://net.tutsplus.com/tutorials/php/php-database-access-are-you-doing-it-correctly/
And follow the practises in the link
And of course have the login over SSL
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 39271460
Add error_reporting(E_ALL) to the top of all your PHP scripts.  This will help you avoid common errors like relying on an undefined variable or constant.

This article shows how to get started in PHP.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11769-And-by-the-way-I-am-new-to-PHP.html

This article tells the design pattern for PHP client authentication.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

This article tells why and how to get off the MySQL extension.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html

Make a Google search for PHP + MySQL security and read the links you find on the first page.  Then join the OWASP project, to keep up-to-date on security.  It's a moving target.  If you think about it carefully, the mantra should be "accept only known good values."
0
 

Author Comment

by:jagguy
ID: 39273352
My question was about the code I posted which I understand and I have done some php before. Worrying about  newer versions of php/mysql can be looked at in due time and the host server wont move to a newer version anytime soon as this will be bad for business.

Also my code does work which and I did research on security which is why I got the code in the first place.

 I will remove all non alpha numeric chars from a input string .

I dont believe my question has been answered as I did research and I would like to know what exactly is the security issue I am facing.
0
 
LVL 58

Expert Comment

by:Gary
ID: 39273370
I cannot see any security issues with your code. I pointed to the PDO version because it is a more secure way of running queries - it will automatically take care of sql injection formats.
You say the security issue I am facing - what security issue?
0
 

Author Comment

by:jagguy
ID: 39273386
Yes I will look at PDO version in time. I thought there was a security issue but it looks like it is ok. Another issue is that php 5.5 hasnt  even been released officially ? The idea that all the ecommerce websites will suddenly not work as host servers will update to php 5 is just not going to happen anytime soon. This migration will take YEARS.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 58

Expert Comment

by:Gary
ID: 39273401
PDO is available now as standard not just in 5.5
0
 
LVL 58

Expert Comment

by:Gary
ID: 39273404
That mysql_query will become unsupported means you should be writing your queries future proof i.e. do not be using old technologies for new code.
0
 

Author Comment

by:jagguy
ID: 39273438
how much work is involved in updating my code? I dont think it really matters for now but i see your point.
0
 
LVL 58

Accepted Solution

by:
Gary earned 500 total points
ID: 39273449
The main difference is using prepared statements - its slightly different than mysql_query but no more work (probably less work/code)

Setup the db connection, pass in host, db name, username and password or hardcode them
$conn = new PDO('mysql:host=localhost;dbname='.$database_name, $username, $password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);


Prepare your sql
     $stmt = $conn->prepare("SELECT column1,column2 FROM table WHERE comparison1=:mydata1 AND comparison2=:mydata2");
      $stmt->execute(array(
            ':mydata1' => $_POST['mydata1']),
            ':mydata2' => $_POST['mydata2'])
      );

$myresults= $stmt->fetch(PDO::FETCH_ASSOC);


And that basically is it, except for accessing the data - no escaping anything or worrying about injection.
PDO seperates the logic of the sql when passing it to MySQL removing any problem of sql injection - basically it tells MySQL here I am selecting something from a table based on this column and then it passes the information to base the select on
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 39273524
We write answers here for the purpose of helping you.  If you read the answers and they point you to an article, it's to save you from having to ask a million little questions.
how much work is involved in updating my code?
Here is the answer:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html
I dont think it really matters for now...
If you worked for me, that statement just got you fired.  We told you it matters now!  I need developers who can see the future and avoid future shock.  Especially if the future is written into the documentation of the online man pages!

Best of luck with your project, ~Ray
0
 
LVL 58

Expert Comment

by:Gary
ID: 39273576
Even though you have accepted my answer I will again (in that I have pointed to it in the past) point you to Ray's great article - a lengthy thing but well worth reading.
What I gave you is a condensed version of writing future proof code (though that in 5 years may well be deprecated)
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this.Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it is …
Have you tried to learn about Unicode, UTF-8, and multibyte text encoding and all the articles are just too "academic" or too technical? This article aims to make the whole topic easy for just about anyone to understand.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
The viewer will receive an overview of the basics of CSS showing inline styles. In the head tags set up your style tags: (CODE) Reference the nav tag and set your properties.: (CODE) Set the reference for the UL element and styles for it to ensu…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now