Posted in Computers & Tech / Programming / Scripting / Perl & CGI
Author: potnuru Total-Replies: 0

I want to create a simple html form which submits the information to a processor which in turn checks the login and either lets them access the members area or takes them to the login failed page.

I tried a script which take the username and password and then puts it in the format http://username:password@mydomain.com/protected/
bu the problem with that script is that if the password is wrong then the login box pops up and this doesnt close even after hitting the cancel button about 4-5 times.

Is there any better way to secure a members area (an entire folder) without .htaccess

Thanks in Advance,
-!DraXxuS!-

Posted in Computers & Tech / How-To's and Tutorials / Programming / PHP
Author: 8ennett Total-Replies: 2

I use this script in most of my sites and find it to be a very reliable yet simple to implement at the same time. Ill run you through how the script works and also how to implement it.

First this is a seperate php file from which ever one you want to add the image verification to. This should remain as is and not be modified with any additional code.

randomImage.php



PLEASE REMEMBER TO REMOVE THE FOUR *'s FROM THE HTML TAGS, I HAD TO PUT THEM IN SO THEY WOULDN'T DISPLAY AS ACTUAL PAGE ELEMENTS!

Now this is an example php file which the image will appear on. If you copy and paste the code in to a new php file you can call it what ever you like. The first part is commented so you know what each section does in the code, this will only run IF the form has been submitted. The rest is the html. There is a form with a box for entering the code and an image, however note the source of the image is our randomImage.php and not a jpg or whatever.

When we call the randomImage.php file we are also writing the value of the images code to the session, however to ensure that nobody is monitoring the site traffic it is md5 encrypted before writing to the session.

Now when we enter the code and submit it, the code we entered is md5 encrypted and then compared to md5 encrypted session variable, if it matches you are redirected to the success page, if not then you are redirected to the incorrect page.

You can have any code run in the event of success or failure, such as a login page or so on, this is just a secure little add-on to prevent people from either brute forcing a password or bots from creating new accounts automatically.

Enjoy!

Posted in Computers & Tech / Programming / Scripting / PHP
Author: Eggie Total-Replies: 8

I have another question---
i downloaded script of a game and it worked until my server changed to newer version of php after which it didn't work...
the most probable reason is that globals are not enabled...
now i need someone who can tell me what to put instead of what to make it work...
this is my login.php script




this is where you enter your username/pass(head.php)



and this is code which goes after login.php
only part of it

Posted in Computers & Tech / How-To's and Tutorials / Programming / PHP
Author: coder2000 Total-Replies: 23

Now there are basically 3 functions that a user management system provides: login, register, and protection. A user management system can do more than this but that is all that this tutorial will be covering. I will try to explain what I am doing as I go along but to fully understand what is happening you should have a basic knowledge of PHP, SQL, and HTML. This tutorial assumes you are using MySQL, adjust accordingly for a different DBMS.

First off lets define the database table where our users will be stored. Using phpMyAdmin run this statement to create our table:


Now a little explanation as to what this will do. It will create a table in your database called tblUsers with fields fldId, fldUsername, and fldPassword. The last two fields are self explanitory they contain the username and password of the user. The fldId is the user id automatically assigned by the database. For more information on the syntax read the MySQL documentation.

Lets continue by creating the script where our users will register. Open your favorite text editor and enter the following:



This tells the webserver that we are starting a php code section. You can have more than one in a script and you can include HTML in your code files as well, more on that later. Lets create a function that will actually do the work of adding the user to the database. Lets call it registerUser, now enter the following in between the php tags:



We now have a very basic registration function. Now we need to create the form the user will see. So below the ?> lets start our HTML. It should look a bit like this:



Now this HTML defines a form with 2 input fields and a button. The thing to look at though is the action attribute of the form tag. Here we have another php code section. This puts the path of the current script as our action with the variable register equal to true. We will deal with that in our code later. For now your code should look like this:



There is one more thing left to do. Handle the variable we passed to the script called register. Lets do that now. Here is the code:



Here we use an if statement to check and see if it has been set to true if it is we call the function we defined earlier.

That is all I will be doing for today. Later we will go over how to login, protect your pages and some basic error checking.

Posted in Computers & Tech / Programming / Scripting / JavaScript
Author: ganeshn11 Total-Replies: 2

Guys, if you like it you can use it, but one thing I would like to tell is that its not entierly safe to use such a thing, it depends on your content that you are trying to protect from usual visitors, beginners this is for you. The best part is that you do not need any kind of scripts installed on your server, it is in JavaScript which is embeded in to your HTML page. Just change the username from "asta" to your choice and password from "host" to your preference.
Here is the code...



Your username and password can be viewed from the source code of your page, just to make it more secure, encrypt.

And now, if you are thinking "How am I going to encrypt a page?", visit this page (http://www.cyberiapc.com/aascripter/samples/Security/sub9.htm), over here you just have to paste your java script code and it will encrypt it for you.

On this page you can even give it an encrypted code and it will decrypt it for you (bring it back to its original state). Thus the above script must not be used for anything serious.

If you plan to go and hide something more serious try, Bravenet.com service which is much, much secure, its just like loging into your email ID (yahoo or hotmail).

Posted in Computers & Tech / Programming / Scripting / PHP
Author: vujsa Total-Replies: 5

I don't see any security holes in the code provided. However, the actual authorization code, "login.php", isn't included so I can't comment on that. Either list the code or provide a link to the post that you are referring to.

When I do login systems, I use a salt, the username and the password to generate the hash from. I sometimes use multiple hashing techniques and different hashing orders...

For example, I might do the following:

This way, you save the username, salt, and password hash in the database and the code puts it all together. So, if someone manages to get access to you database it would be very unlikely that they could decipher the actual password since they wouldn't know what order you used to generate the password hash. For extra security, you can also use a global salt salt which is the same for everyone's password hash but only be stored in one PHP file somewhere in your system like your configuration file. You would have to include the file in all of your user creation and authorization scripts. This would prevent a key part of the hash from being seen in the database making even more unlikely that anyone could decode your hashing method.

You can add other user information to the hash to simply increase the complexity used to generate the hash requiring many more steps to decipher it manually. The more items that you add to the hash and the more different hashing functions (md5, sha1, etc...) you use on those items, the harder it is to figure out the method and order used to generate the hash.
The following user information would work:
email address
first name
last name
date of birth
address
city
country

Just remember, if the user changes any of the information, a new password hash must be generated! Otherwise, you won't be able to check the submitted login information against the password hash since during authorization, the user submitted password must be converted exactly the same way as the stored password hash was in order for them to match. If the data is different, then they won't match and the user won't be able to login.

On that same note, you must only use constant data for the password hash. This is data that doesn't change over time like the username which is stored in the database. Once a random password salt is generated, it must be stored in the database. Using the current time or current date in the hash will not work since the time will always be different. If you want to, you can use a time stored in the database like the user creation date.

I hope this gives you some insight into securing you user's saves password information in your database.

vujsa

Posted in Astahost / Hosted Members Support / cPanel
Author: NilsC Total-Replies: 7

A lot of school computers block login scripts to prevent users from accessing web sites. So if scripting is off you may not be able to login from the popup. Just cancel it out and try the login webpage. This may still not work but that is what I have to do from my work computer.

Nils

Posted in Computers & Tech / Databases
Author: sylvanasp Total-Replies: 16

i had this login script,i lowerized its functions a little bit
but cant do more it too complicated for a newb like me

can some one help me delete the activation throu email codes in these files,and those extra fields on registration form and their DB's fields for me plz?
all i want from this script is that i want to login wit 3 different user access

Posted in Computers & Tech / Programming / Scripting / PHP
Author: frenz Total-Replies: 5

I am making a login script which atm uses a cookie to set login status.

I would like to include sessionwise checking into this. And also an IP check, where i write the IP to database and later get it for all other pages and then check it up to the client for each page.

I need to know the commands for:
- getting an IP
- Starting a session
- Ending a session
- Reading a session

Posted in Computers & Tech / Security issues & Exploits
Author: Jeigh Total-Replies: 8

Yea I heard about that, my boss has us reworking login scripts to patch up machines here (I'm working at a tech support place for the summer) but I'm hoping it doesn't get too bad. Big virus/worm outbreaks == annoying *****y people yelling at us all day

Posted in Free Web Hosting / Hosting Support & Help
Author: evought Total-Replies: 4

I have a folder ~/public_html/templates/warmish_community.bak which I do not own and do not have permissions to delete. I have copied and renamed the folder contents so that I own and can manipulate the files but cannot delete the original.

Please delete this folder for me when you get a chance. This is not time critical.

The error was probably caused by a faulty mambo install script. You may want to look into this because it might represent a security hole.

Posted in Computers & Tech / Programming / Scripting / PHP
Author: FirefoxRocks Total-Replies: 5

It turns out that the authentication script that I copied from http://www.php-mysql-tutorial.com/user-aut...on/database.php doesn't work even when it is left unchanged. What a crappy piece of code.

Now I am trying to build by own login script from scratch. I already have a little knowledge on how to do this (connecting, echoing, retrieving) but I need some more examples and/or tips. I know what I need and maybe this could help you out:
Note: Green items are fixed.

1. No duplicate username in MySQL Database
   
2. Authorized users only. I have to authorize each user or else a message comes up that says that they have not been authorized yet.
   
3. IP address logging. This means logging the IP address when registered and logging the IP address at last logon.
   
4. After logon, it all redirects to one page (if certain group).
   
5. If the username is in moderator status, it redirects to the Moderator Page. Otherwise, it redirects to the Member page.
   
6. A lost password function.
   

That's all I need right now. For everyone who helps, I will mention your Trap17/Astahost username into the the credits page of the site when it is completed!

Posted in Computers & Tech / Software / Bulletin Board Systems / Invision Power Board
Author: sirgalphan Total-Replies: 5

i'm making a website, and i have a set of forums that are seperate from it. i want to have a custom login page, and i need a script that will do it from my website to my forums.

i found this code at an invisionfree site, but its not exactly what i need.



i want a form that has imgs for buttons, specifically a rollover img, that when you click on it, it changes to another img, then you can type text over that img. as an example, for alot of online java rpgs, when you click login, it asks for username and pass. i want something sort of like that (since my site is rpg themed). any help?

Posted in Computers & Tech / Programming / Scripting / PHP
Author: mastercomputers Total-Replies: 6

I think what he's actually referring to is what he's learnt about PHP.

He's talking about the connection method used in PHP to connect to a MySQL database, not the actual storage of a password. If you do mean the actual storage of the password, it is most likely never stored in plain text in your database. Usually it has been converted into a one way hash in which it is near impossible to break the encryption. The only viable checking method you have is whatever plain text they entered when converted into the hash can be compared and if the hash doesn't match, it's the wrong password.

But what I think you're talking about is the PHP way for connecting to a database. Usually your password is in plain text but it's within a PHP file. As long as the file extension is of that of PHP, the connection code exists within PHP tags and the server is configured correctly, they should not be able to gain the password, however there are many ways they could gain the password but this is no easy task and I would not want you to be paranoid about it either.

Some best practises is to create multiple users with specific tasks for managing only specific database commands, never use a root or a user who has full access (GRANT ALL) for connections. My beliefs however is root users should never be able to do what normal users do (well more specifically in the same way), that's for anything, including forums, tagboards, etc. I think they should be designated in their own administration place, where they can control what they do, but can not log into a user/member area and be just like a regular user.

If you can only have one user, then restrict him the minimal actions he's allowed to perform and restrict him to only a database he can access. The easiest way to do this is to create a user with no actions allowed and add him to a certain database only, then test a script out with that user and you'll get an error stating what the user can't do, adjust that user to be able to do that, and continue testing until there's no more complaints/warnings. Hopefully that will discover all the actions early, but sometimes you'll discover them later on down the track but hopefully by then you'd know enough PHP to understand what commands are needed so you can stop with the trial and error testing.

If you are concerned, then there's also PHP encoding software, but I don't know of any that are available freely (there could be though). What this does is scramble your text but still makes it possible for the server to decode it and read it as if it were plain text. That way if a password was stored in plain text, the actual file when encoded would look like goobly gook to anyone who managed to get hold of it, though if they spend enough time with it, it's possible they could managed to decode it because the algorithmn is usually a 2 way encryption which means it can be decoded, so if they understood how it was encoded, they'd definitely understand how to decode it too.

And just while thinking about it, you can also encode everything in MySQL, so if they did get into it, it would appear the same.

But the most important thing, don't store sensitive data in MySQL. There's no reason to store whole credit card numbers, or even part of the number, validation of the card should be done straight away with a reputatable credit company and the purchase done at that time, so there's no reason to store it. Once used get rid of it, the user is going to have to insert that number again if they want to make another purchase.

Other things is, if you have to store sensitive data, then store it in a network that can't be connected to via the internet, though not possible for everything, then store the information in a different database with a different user to the one controlling the other database. If possible, make sure to change passwords on a regular basis too.

There's actually so many things you could do to make it harder for such an attacker to get in, but the more things you introduce, you could make it difficult for yourself to keep up with, so don't go overboard with it unless you want to spend a large deal of your time with it. Trust me, the best thing you want to do is be 1 step ahead of an attacker not 100s of steps.

Cheers,

MC

Posted in Astahost / Hosted Members Support
Author: vujsa Total-Replies: 17

First, you were definitely hacked!
Second, your hosting account has problems!
Third, you need to contact support.

Your site, for whatever reason, was, it looks like, suspended. Your member profile shows you as a HOSTED member but your profile is missing important hosting data!
When an account sites around for awhile without activity, hacker take the site over and use it for their purposes!

Now, between your suspension and member profile errors, when you earned enough credits to unsuspend your account, either the hacker had changed the password or more probable, the error in your member profile prevented you from logging into your account.

So, now that you seem to have some access to the website, you can see the file changes that were made on your account. More than likely, a script like SMF or Mambo allowed a hacker to upload files to your account or even have full control over you public_html folder. It is unlikely that he was able to crack your password.

So, once you get your account issues fixed, then you need to either remove the exploited web script or upgrade it to a more secure version!

These little issues you have, are rather common. Even I have had a similar issue with random files or folders being uploaded to my file system. It was a result of little or no activity on the website along with an exploit in one of the scripts I had installed.

Check this website to see what else they have done to your account:
old.zone-h.org/en/defacements/filter/filter_domain=YOUR_DOMAIN_HERE.COM

vujsa