[How-To] PHP Security

Soldato
Joined
10 Sep 2003
Posts
4,940
Location
Midlands
it works in the same way as addslashes().

Code:
$query1 = mysql_query('SELECT * FROM users WHERE user=\'' . addslashes($_POST['username']) . '\' AND password=\'' .  addslashes($_POST['password']) . '\'')

Code:
$query2 = mysql_query('SELECT * FROM users WHERE user=\'' . mysql_real_escape_string($_POST['username']) . '\' AND password=\'' .  mysql_real_escape_string($_POST['password']) . '\'')
 
Soldato
OP
Joined
26 Dec 2003
Posts
16,522
Location
London
It's not the same as addslashes(), though, since it escapes some mySQL-specific stuff that addslashes() doesn't. mysql_real_escape_string() is different from mysql_escape_string() in that it pays attention to the character set of the database connection.
 
Soldato
OP
Joined
26 Dec 2003
Posts
16,522
Location
London
Inquisitor said:
So do I just do mysql_real_escape_string ($_POST['query'])
They make it look a lot more complicated on php.net :o


All the ones on the man page do is stripslashes if magic quotes is on - this is so that you don't end up with this:

Input: Hello "Gentlemen"; how are 'you'?
Magic Quotes: Hello \"Gentlemen\"; how are \'you\'?
mySQL Escaped: Hello \\"Gentlemen\\"; how are \\'you\\'?

:)
 
Soldato
Joined
10 Sep 2003
Posts
4,940
Location
Midlands
it is good practise setting error_reporting() to error_reporting(E_ALL) during development to show all errors including missed variables etc...

Once your script goes live, its advisable to turn all error reporting off to prevent people, or should i say "potential hackers" from getting any information about the error that occured. To turn error_reporting off use: error_reporting(0).

another useful function is trigger_error(), as it allows you to make your own error messages up. The good thing about it is that you can specify what error level reporting level (error, warning or notice) for that error to apply to, so you dont need to go through your script changing loads of stuff. e.g:

Code:
		if (!$this->dbConn = @mysql_connect($this->host, $this->dbUser, $this->dbPass)) {

			trigger_error('Could not connect to database server', E_USER_ERROR);

		} elseif (!@mysql_select_db($this->dbName, $this->dbConn)) {

			trigger_error('Could not select database', E_USER_ERROR);

		}

of you used exit() or die() here the error message will always be displayed.

using trigger_error, if error reporting it turned off, the error message shouldnt appear.
 
Soldato
Joined
12 Apr 2004
Posts
11,788
Location
Somewhere
Got yet another question, regarding md5 hashing when storing passwords. :D

If md5 is a one-way 'encryption' method, then wouldn't that present a bit of a problem if the user forgot his/her password? :confused:
 
Soldato
Joined
12 Apr 2004
Posts
11,788
Location
Somewhere
That's what I though, but some websites will simply email you your password if you forget it, I assume that would use symmetric encyption like mcrypt? Is that ok to use for encrypting passwords?
 
Soldato
OP
Joined
26 Dec 2003
Posts
16,522
Location
London
Inquisitor said:
That's what I though, but some websites will simply email you your password if you forget it, I assume that would use symmetric encyption like mcrypt? Is that ok to use for encrypting passwords?


No, it defeats the entire object of hashing them. If you can decode them with a simple PHP function, so can any attacker and then it becomes worthless.
 
Soldato
OP
Joined
26 Dec 2003
Posts
16,522
Location
London
Inquisitor said:
So how do these websites send the password back via email, assuming they storing them securely? (I would have thought they were, as they're quite large websites)


Well they can't have hashed it, so they must store it in some form of reversible encryption, which means that an attacker could get everbody's passwords if they managed to get access to the database. It doesn't seem to serious, but if you think that almost everyone uses the same password for most of their sites then it's pretty serious.
 
Associate
Joined
30 Jun 2003
Posts
2,237
Location
Sussex
could they not write their own encyption? for example a simple ROT-13 would leave the password unreadable if database access was gained. obviously, they would use a cyper that's a little harder to break :p
 
Back
Top Bottom