Expand / Collapse Navigation
|
|
|
| Web Hosting |
 |
Php Question, Help Please |
 Jun 22 2008, 10:19 PM
Post
#1
|
|
|
Member [ Level 1 ]  Group: [HOSTED] Posts: 36 Joined: 28-August 07 Member No.: 24,433  |
Im testing to make a site, i made a bit of the code and using Feelay's login system, but can this code make safer and better?
CODE <?php session_start(); ?> <?php $skin = $_GET['skin']; if($skin=='1'){ $_SESSION['theme']=''; }elseif($skin=='2'){ $_SESSION['theme']='1'; }elseif($skin=='3'){ $_SESSION['theme']='2';; }elseif($skin=='4'){ $_SESSION['theme']='3'; } ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <?php $id = $_GET['id']; if($id=='1'){ echo '<title>1</title> '; }elseif($id=='2'){ echo '<title>2</title> '; }elseif($id=='3'){ echo '<title>3</title> '; }else{ echo '<title>Home</title> '; } ?> .... <?php if($id=='1'){ echo ' <div class="boxtop"><span>Content</span></div> Content'; $url = 'index.php?id=1&'; }elseif($id=='2'){ echo ' <div class="boxtop"><span>Content</span></div> Content'; $url = 'index.php?id=2&'; }elseif($id=='3'){ echo ' <div class="boxtop"><span>Content</span></div> Content'; $url = 'index.php?id=3&'; }else{ echo ' <div class="boxtop"><span>Content</span></div> Content'; $url = 'index.php?'; } ?> ..... <?php session_start(); require_once 'database.php'; if (isset($_SESSION['user'])){ echo "Welcome ".$_SESSION['user']; ?> <form name="logout" method="post" action="logout.php"> <input type="submit" name="logout" id="logout" value="Logout"> </form><br /> <?php }elseif(isset($_SESSION['admin'])){ echo"Welcome ".$_SESSION['admin']; ?> <form name="logout" method="post" action="logout.php"> <input type="submit" name="logout" id="logout" value="Logout"> </form> <br /> </form> <?php }elseif($id==''){ ?> <form name="login_form" method="post" action="login2.php"> <label> <input name="user" value="Username" onfocus="this.value=''" type="text" id="user"><br /> <input name="pass" value="Password" onfocus="this.value=''" type="password" id="pass"><br /> </label> <input type="submit" name="login" id="login" value="Login"> </label> </p> </form> <form name="Register" method="post" action="index.php?id=reg"> <input type="submit" name="register" id="register" value="Register"> </form><br /> <?php }elseif($id=='reg'){ echo '<form name="register" method="post" action="regcheck.php"> <input type="text" value="Username" name="user" id="user"> <br> <input type="password" value="Password" name="pass" id="pass"> <input type="submit" name="reg" id="reg" value="Register"> </form> <form name="Home" method="post" action="index.php"> <input type="submit" name="home" id="home" value="Home"> </form><br /> '; }else{ echo '<title>2</title> '; } ?> </div> </div> </div> </div> <div id="footer">Footer</div> </div> </body> </html> I removed some of the code because it was only html, thanks |
 |
 
|
|
Jun 28 2008, 03:29 PM
Post
#2
|
|
|
Absolute Newbie  Group: Admin Posts: 888 Joined: 20-February 05 From: Indianapolis, Indiana, USA (Midwest) Member No.: 2,714 myCENTs:35.43 |
I don't see any security holes in the code provided. However, the actual authorization code, "login.php", isn't included so I can't comment on that. Either list the code or provide a link to the post that you are referring to.
When I do login systems, I use a salt, the username and the password to generate the hash from. I sometimes use multiple hashing techniques and different hashing orders... For example, I might do the following: CODE $usersalt = md5(uniqid(rand(), true)); $username = $_POST['username']; $userpass = sha4(md5($usersalt . $username) . md5($_POST['userpass'])); This way, you save the username, salt, and password hash in the database and the code puts it all together. So, if someone manages to get access to you database it would be very unlikely that they could decipher the actual password since they wouldn't know what order you used to generate the password hash. For extra security, you can also use a global salt salt which is the same for everyone's password hash but only be stored in one PHP file somewhere in your system like your configuration file. You would have to include the file in all of your user creation and authorization scripts. This would prevent a key part of the hash from being seen in the database making even more unlikely that anyone could decode your hashing method. You can add other user information to the hash to simply increase the complexity used to generate the hash requiring many more steps to decipher it manually. The more items that you add to the hash and the more different hashing functions (md5, sha1, etc...) you use on those items, the harder it is to figure out the method and order used to generate the hash. The following user information would work: email address first name last name date of birth address city country Just remember, if the user changes any of the information, a new password hash must be generated! Otherwise, you won't be able to check the submitted login information against the password hash since during authorization, the user submitted password must be converted exactly the same way as the stored password hash was in order for them to match. If the data is different, then they won't match and the user won't be able to login. On that same note, you must only use constant data for the password hash. This is data that doesn't change over time like the username which is stored in the database. Once a random password salt is generated, it must be stored in the database. Using the current time or current date in the hash will not work since the time will always be different. If you want to, you can use a time stored in the database like the user creation date. I hope this gives you some insight into securing you user's saves password information in your database. vujsa |
|
|
|
|
Jul 2 2008, 05:49 PM
Post
#3
|
|
|
Member [ Level 1 ] Group: [HOSTED] Posts: 36 Joined: 28-August 07 Member No.: 24,433 |
Ohh, When i made the login script it wasnt so security, no hashing, i forgot that, but ur reply did so i rememberd it, and thanks for the tutorial(help) with password hashing metods
|
|
|
|
|
Jul 10 2008, 05:13 AM
Post
#4
|
|
|
Absolute Newbie Group: Admin Posts: 888 Joined: 20-February 05 From: Indianapolis, Indiana, USA (Midwest) Member No.: 2,714 myCENTs:35.43 |
Sometimes the simplest question can provide much more information than you realize.
I will add one other security tip... I generally save the session data in both the session cookie and the database... It is good to use sessions to store your session ID which I generally use to get permissions from the database. However, if you store other user information in the session cookie and the database and compare that to the user's current information, you can better prevent someone from hijacking a session. For example, check the user session id, IP address, and maybe browser version or OS to see if that matches what is was when the user logged in. Another important suggestion is to expire sessions after a certain period of time to prevent an old session from being reused. Just apply a current timestamp each time a session ID is used in the database. Not only does this prevent someone from using an account after the real owner forgot to log out, it makes it far more difficult to hijack a session since the hijacker only has a limit amount of time to find a session and attempt to use it. Hope this helps. vujsa |
|
|
|
|
Jul 11 2008, 06:03 PM
Post
#5
|
|
|
Member [ Level 1 ] Group: [HOSTED] Posts: 36 Joined: 28-August 07 Member No.: 24,433 |
I thought session was security but it could be more security didnt i know, thanks i try it with session checking database, it can be very help full.
|
|
|
|
|
Jul 12 2008, 08:21 AM
Post
#6
|
|
|
Premium Member Group: [HOSTED] Posts: 286 Joined: 17-June 07 From: Tasmania Member No.: 22,699 |
It all looks to be fine but dont take my work on it as i dont no that much about php all i can do is code a basic site in it but like i said it looks fine
Good Luck |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
Similar Topics
| Topic Title | Replies | Topic Starter | Views | Last Action | |||
|---|---|---|---|---|---|---|---|
 |
6 | Orca239 | 860 | 31st December 2008 - 09:29 AM Last post by: mastercomputers |
|||
|
4 | FirefoxRocks | 225 | 4th December 2008 - 03:57 AM Last post by: FirefoxRocks |
|||
|
3 | tpog | 258 | 12th November 2008 - 04:35 PM Last post by: khalilov |
|||
|
5 | veerumits | 263 | 4th November 2008 - 10:03 PM Last post by: minimcmonkey |
|||
|
1 | JeffGirard | 1,098 | 23rd September 2008 - 07:16 PM Last post by: adavak |
|||
|
9 | sandeep | 1,801 | 3rd September 2008 - 11:10 AM Last post by: Guest |
|||
|
3 | sparkx | 357 | 25th August 2008 - 06:02 AM Last post by: magiccode9 |
|||
|
18 | lonebyrd | 2,788 | 18th August 2008 - 09:41 PM Last post by: Guest |
|||
|
0 | Feelay | 183 | 9th August 2008 - 11:37 AM Last post by: Feelay |
|||
|
9 | WeaponX | 1,167 | 30th July 2008 - 07:44 AM Last post by: Guest |
|||
 |
21 | lacking_imagination | 4,349 | 30th July 2008 - 04:57 AM Last post by: Guest |
|||
|
6 | dhanesh | 1,537 | 25th July 2008 - 01:20 PM Last post by: Guest |
|||
|
13 | Normano | 749 | 23rd June 2008 - 07:40 AM Last post by: Chivas |
|||
|
6 | jedipi | 3,004 | 14th June 2008 - 08:23 AM Last post by: iGuest |
|||
|
1 | wutske | 385 | 2nd June 2008 - 03:36 PM Last post by: vujsa |
|||
|
Lo-Fi Version | Time is now: 8th January 2009 - 01:44 AM |
© 2009 AstaHost: Free Web Hosting & Technical Discussion, Free Web Hosting. a member of xisto.
Powered by Invision Board. Skin: IPB Forum Skins