[PHP] User Input Security + Login Script

Conrad11 · 14 Feb 2007 at 09:07

Hi there,

I am going to be creating a CMS to practise my PHP skills and well to use on websites.

It's been a long time since I have done any PHP, mostly been working on windows based languages.

I still have all my resources from a while ago and I was reading through this again: http://php.robm.me.uk/

...and was wondering: Should I be filtering the user input even if i am not displaying it on the script, ie using the input in a conditional?

I am assuming the later from this:

switch($_GET['page']) {
case "about":
include('about.php');
break;
case "news":
include('news.php');
break;
default:
include('home.php');
break;
}

...but i just wanted to make sure.

Are there any other guides/tutorials you think are necessary reads when it comes to PHP scurity, or does that cover it?

========

Also I want to make a login script, does anyone have any good tutorials/scripts for making a good...secure login script.

Thanks.

JonD · 14 Feb 2007 at 12:44

The script above will pretty much work and I dont think it can be broken.

You get problems if you do this:

include($_GET['page']);

Conrad11 · 15 Feb 2007 at 11:49

Sorry for the confusion, that script I posted works, it's just i have forgotten about the security risks when it comes to PHP.

What you have posted has security risks, for more information, look at the link i posted above for the types of risks thats vunerable to.

robmiller · 15 Feb 2007 at 12:26

If you're just using it in a conditional then there's no need to do any sanitation: it's just when accessing the filesystem, writing output to the browser and querying the database that you need to sanitise input

Edit: As for writing a login system, my old but still pretty relevant thoughts on password hashing are here: http://php.robm.me.uk/#toc-TakingitfurtherSalting

Just store the user's uid and hashed-and-salted password in their session/cookie, check it (as in check that it's actually correct) on every page load, and bob's your uncle.

Beansprout · 15 Feb 2007 at 12:27

Conrad11 said:
What you have posted has security risks, for more information, look at the link i posted above for the types of risks thats vunerable to.

That's what he said

Dj_Jestar · 15 Feb 2007 at 12:52

edit: doh, didn't read properly

Conrad11 · 16 Feb 2007 at 11:28

Beansprout said:
That's what he said

Lol, I can't read

Edit:

And thanks robmiller, have already read that a couple of times over.

Question is, with hacking, surely if they can hack MD5 (can they?? - i remember reading an post about SHA-1 being hacked)....then they could get the salt aswell? Or am i being silly and looking at it from the wrong point of view?

Beansprout · 16 Feb 2007 at 11:55

Conrad11 said:
Lol, I can't read

Edit:

And thanks robmiller, have already read that a couple of times over.

Question is, with hacking, surely if they can hack MD5 (can they?? - i remember reading an post about SHA-1 being hacked)....then they could get the salt aswell? Or am i being silly and looking at it from the wrong point of view?

The general rule is that if you have someone after you with the power to crack MD5 in a reasonable time frame, you probably have other issues

But yes, MD5 was 'cracked' in a way, though nothing to realy worry about - but you could salt the password before MD5'ing it to make the MD5s unique to your site only in the event of a breach

Conrad11 · 16 Feb 2007 at 12:06

Beansprout said:
The general rule is that if you have someone after you with the power to crack MD5 in a reasonable time frame, you probably have other issues

But yes, MD5 was 'cracked' in a way, though nothing to realy worry about - but you could salt the password before MD5'ing it to make the MD5s unique to your site only in the event of a breach

Still, if they could crack MD5 could they still not get the salt?

=======

Also, OT, but how do i redirect the user to a page, without using headers as what I wish to do is redirect the user because of an error but using something like this:

Code:

header("location: index.html");
exit;

....I get an error saying that the headers have already been posted by one of my includes (which is true i think).

Thanks.

punky_munky · 16 Feb 2007 at 16:22

It needs to go before any HTML output. You could probably use Javascript to do a redirection but that has it's own set of problems.

Conrad11 · 22 Feb 2007 at 15:05

punky_munky said:
It needs to go before any HTML output. You could probably use Javascript to do a redirection but that has it's own set of problems.

Is there no way around this then, without the use of javascript?

===

Also is this secure enough for my check login page:

Code:

<?php
if($_SESSION['username'] === "username" && $_SESSION['password'] === "md5 of password including salt") {
	session_regenerate_id();
}else{
	session_destroy();
	header("Location: login.php");
	exit;
}
?>

Also, when storing the passwords in a database, I store them as md5 of password+salt...correct?

Thanks.