How secure is this?

JamesU2005 · 10 Jun 2008 at 11:03

Can any PHP experts take a look at my code and tell me how secure it is?

I realise it's not the cleanest of codes but it works.

PHP:

<?php 

include 'database.php';


$AdminUsername = $_POST['adminusername']; 
$AdminPassword = $_POST['adminpasswordguess']; 



$AdminUser = mysql_real_escape_string($AdminUsername);

$AdminUserChar = str_replace(' ', '', $AdminUser);

$AdminClear = preg_replace("/[^a-zA-Z0-9]/", "", $AdminUserChar);



$AdminPass = mysql_real_escape_string($AdminPassword);

$AdminPassChar = str_replace(' ', '', $AdminPass);

$AdminPassClear = preg_replace("/[^a-zA-Z0-9]/", "", $AdminPassChar);


$query = "SELECT adminid, adminusername, adminpassword FROM admin WHERE adminusername = 'AdminClear' AND adminpassword = '$AdminPassClear'"; 
$result = mysql_query($query);
 
$row = mysql_fetch_array($result);

$AdminID = $row["adminid"]; 

if (mysql_num_rows($result) != 1) {
    header("Location: wrongpassword.php");

} else {
	session_start();
    $_SESSION['adminusername'] = "$AdminUsername";
	$_SESSION['adminuserid'] = "$AdminID";
	$_SESSION['AdminAuthorised'] = "Y";
    include "adminindex.php";
}

?>

and then this at the top of everypage:

PHP:

<?php
session_start();
if ($_SESSION['AdminAuthorised'] != "Y")		
	header("Location: notauthorised.php");?>

Jaffa_Cake · 10 Jun 2008 at 17:52

What exactly are you trying to secure it agains't? Stealing the session id from the cookie would have course bypass it straight away however thats the problem with most things. It looks ok to me

dan^uk · 10 Jun 2008 at 18:20

Do you hash the passwords that you store in the database (you should really)? If so, you need some code in there to hash $AdminPassClear.

JamesU2005 · 10 Jun 2008 at 18:50

Thanks for the replies.

It's just a login system to be used be one person for a mini-CMS I made.

I've not "hased" password because there's only one person that can login but I may do it if you think I should.

Is there anyway that someone could get round my code and login? That's what I want to know.

MMD · 10 Jun 2008 at 23:45

Hashing passwords would make this much safer. I'm no hacker but without hashing, i've heard it's pretty simple to obtain. Obviously this depends how secure your server is too.

Jaffa_Cake · 11 Jun 2008 at 03:22

Theres no way that anyone could log in without
A) Knowing the password
B) Stealing the cookie

If you don't hash the passwords then any exploit on any part of your server which would allow a hacker to access the users table would leave the password in the clear.

JamesU2005 · 11 Jun 2008 at 08:56

Right ok so without hashing the login is safe BUT if the hacker gains access via some other means on the server, it would be compromised without hashing?

adam83 · 11 Jun 2008 at 09:38

Yes, as the password would be visible in the table.

If you MD5 encrypt the password, it's near enough impossible to work out the original password.

Steve2000 · 11 Jun 2008 at 12:22

As a rule of thumb, whenever creating any form of PHP logon system, always use MD5 to encrypt the passwords. Even for just one user. Far more secure this way.

Inquisitor · 11 Jun 2008 at 12:25

adam83 said:
Yes, as the password would be visible in the table.

If you MD5 encrypt the password, it's near enough impossible to work out the original password.

But relatively easy to compute a collision that yields the same digest.

Remember, kids, salt your passwords before hashing!

nav... · 11 Jun 2008 at 12:28

holy overcooking of php batman!!

you can achieve that in far fewer lines and far more securely.

Kemik · 11 Jun 2008 at 12:37

You could encrypt parts of the cookie too.

JamesU2005 · 11 Jun 2008 at 13:18

nav... said:
holy overcooking of php batman!!

you can achieve that in far fewer lines and far more securely.

Explain then?

Kemik said:
You could encrypt parts of the cookie too.

Do you have a link or tutorial?

Kemik · 11 Jun 2008 at 14:51

JamesU2005 said:
Do you have a link or tutorial?

There's a few articles on google but it's fairly simple. The most secure why would be hash the password with the users IP. This prevents password stealing by cookies because it uses the users IP.

E.g. Bobs password "hello" is hashed with his ip; 1. If fred steals bobs password he won't be able to login with the hashed password because fred's ip won't match Bob's.

If that makes sence.

MMD · 11 Jun 2008 at 15:07

What about dynamic ip's?

adam83 · 11 Jun 2008 at 15:37

Yup a little stumped how you could hash it with there ip in case they didn't have a static ip.

May have over looked something so all 'ears'

Kemik · 11 Jun 2008 at 17:53

Depends how your connected to the net I suppose. My IP doesn't change every time I boot my computer. It just changes when my router is restarted, which isn't often. You could always use a static encryption key but this guy said only one person will be using it.