Php Question, Help Please

Normano

Jun 22 2008, 10:19 PM

Im testing to make a site, i made a bit of the code and using Feelay's login system, but can this code make safer and better?

CODE

<?php
session_start();
?>
<?php
$skin = $_GET['skin'];
if($skin=='1'){
$_SESSION['theme']='';
}elseif($skin=='2'){
$_SESSION['theme']='1';
}elseif($skin=='3'){
$_SESSION['theme']='2';;
}elseif($skin=='4'){
$_SESSION['theme']='3';
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<?php
$id = $_GET['id'];
if($id=='1'){
    echo '<title>1</title>
';
}elseif($id=='2'){
    echo '<title>2</title>
';
}elseif($id=='3'){
    echo '<title>3</title>
';
}else{
    echo '<title>Home</title>
';
}
?>
....
<?php
if($id=='1'){
    echo '  <div class="boxtop"><span>Content</span></div>
  Content';
        $url = 'index.php?id=1&';
}elseif($id=='2'){
    echo '  <div class="boxtop"><span>Content</span></div>
  Content';
        $url = 'index.php?id=2&';
}elseif($id=='3'){
    echo '  <div class="boxtop"><span>Content</span></div>
  Content';
        $url = 'index.php?id=3&';
}else{
    echo '  <div class="boxtop"><span>Content</span></div>
  Content';
        $url = 'index.php?';
}
?>
.....
   <?php
session_start();
require_once 'database.php';
if (isset($_SESSION['user'])){
echo "Welcome ".$_SESSION['user'];
?>
<form name="logout" method="post" action="logout.php">
<input type="submit" name="logout" id="logout" value="Logout">
</form><br />
<?php
}elseif(isset($_SESSION['admin'])){
echo"Welcome ".$_SESSION['admin'];
?>
<form name="logout" method="post" action="logout.php">
<input type="submit" name="logout" id="logout" value="Logout">
</form>
<br />
</form>
<?php
}elseif($id==''){
?>
<form name="login_form" method="post" action="login2.php">
  <label>
  <input name="user" value="Username" onfocus="this.value=''" type="text" id="user"><br />
  <input name="pass" value="Password" onfocus="this.value=''" type="password" id="pass"><br />
  </label>
<input type="submit" name="login" id="login" value="Login">
   </label>
</p>
</form>
<form name="Register" method="post" action="index.php?id=reg">
  <input type="submit" name="register" id="register" value="Register">
</form><br />
<?php
}elseif($id=='reg'){
    echo '<form name="register" method="post" action="regcheck.php">
  <input type="text" value="Username" name="user" id="user">
<br>
  <input type="password" value="Password" name="pass" id="pass">
  <input type="submit" name="reg" id="reg" value="Register">
</form>
<form name="Home" method="post" action="index.php">
  <input type="submit" name="home" id="home" value="Home">
</form><br />
';
}else{
    echo '<title>2</title>
';

}
?>
   </div>
  </div>
</div>
</div>
<div id="footer">Footer</div>
</div>
</body>
</html>

I removed some of the code because it was only html, thanks

vujsa

Jun 28 2008, 03:29 PM

I don't see any security holes in the code provided. However, the actual authorization code, "login.php", isn't included so I can't comment on that. Either list the code or provide a link to the post that you are referring to.

When I do login systems, I use a salt, the username and the password to generate the hash from. I sometimes use multiple hashing techniques and different hashing orders...

For example, I might do the following:

CODE

$usersalt = md5(uniqid(rand(), true));
$username = $_POST['username'];
$userpass = sha4(md5($usersalt . $username) . md5($_POST['userpass']));

This way, you save the username, salt, and password hash in the database and the code puts it all together. So, if someone manages to get access to you database it would be very unlikely that they could decipher the actual password since they wouldn't know what order you used to generate the password hash. For extra security, you can also use a global salt salt which is the same for everyone's password hash but only be stored in one PHP file somewhere in your system like your configuration file. You would have to include the file in all of your user creation and authorization scripts. This would prevent a key part of the hash from being seen in the database making even more unlikely that anyone could decode your hashing method.

You can add other user information to the hash to simply increase the complexity used to generate the hash requiring many more steps to decipher it manually. The more items that you add to the hash and the more different hashing functions (md5, sha1, etc...) you use on those items, the harder it is to figure out the method and order used to generate the hash.
The following user information would work:
email address
first name
last name
date of birth
address
city
country

Just remember, if the user changes any of the information, a new password hash must be generated! Otherwise, you won't be able to check the submitted login information against the password hash since during authorization, the user submitted password must be converted exactly the same way as the stored password hash was in order for them to match. If the data is different, then they won't match and the user won't be able to login.

On that same note, you must only use constant data for the password hash. This is data that doesn't change over time like the username which is stored in the database. Once a random password salt is generated, it must be stored in the database. Using the current time or current date in the hash will not work since the time will always be different. If you want to, you can use a time stored in the database like the user creation date.

I hope this gives you some insight into securing you user's saves password information in your database.

vujsa

Normano

Jul 2 2008, 05:49 PM

Ohh, When i made the login script it wasnt so security, no hashing, i forgot that, but ur reply did so i rememberd it, and thanks for the tutorial(help) with password hashing metods

vujsa

Jul 10 2008, 05:13 AM

Sometimes the simplest question can provide much more information than you realize.

I will add one other security tip...

I generally save the session data in both the session cookie and the database...

It is good to use sessions to store your session ID which I generally use to get permissions from the database.

However, if you store other user information in the session cookie and the database and compare that to the user's current information, you can better prevent someone from hijacking a session.
For example, check the user session id, IP address, and maybe browser version or OS to see if that matches what is was when the user logged in.

Another important suggestion is to expire sessions after a certain period of time to prevent an old session from being reused. Just apply a current timestamp each time a session ID is used in the database. Not only does this prevent someone from using an account after the real owner forgot to log out, it makes it far more difficult to hijack a session since the hijacker only has a limit amount of time to find a session and attempt to use it.

Hope this helps.
vujsa

Normano

Jul 11 2008, 06:03 PM

I thought session was security but it could be more security didnt i know, thanks i try it with session checking database, it can be very help full.

Habble

Jul 12 2008, 08:21 AM

It all looks to be fine but dont take my work on it as i dont no that much about php all i can do is code a basic site in it but like i said it looks fine

Good Luck

ADD REPLY / Got an Opinion!	a humble request :-)	RAPID SEARCH!	Free Hosting	[X]
Express your Opinions, Thoughts or Contribute your information that might help someone here. Ask your Doubts & Queries to get answers.. "Together, We enlight each other!"	Register FREE for AD-FREE forum, Create your own topics, Ask Questions, track topics, setup subscriptions & notifications and Get a Free Website w/ Email and FTP.		500MB Space No Ads, CPanel, FTP, PHP, MySQL, EMails - 100% FREE