|
Posted by "Gustav Wiberg" on 09/15/05 21:19
----- Original Message -----
From: "Ben" <ben@emediastudios.com>
Newsgroups: php.general
To: "Gustav Wiberg" <gustav@varupiraten.se>
Sent: Wednesday, September 14, 2005 7:35 PM
Subject: Re: [PHP] trying to figure out the best/efficient way to tell who
is logged into a site..
> Gustav Wiberg wrote:
>
>> All you guys, please comment if the code is well or bad written and
>> why... :-)
>
> Since you asked, a few things popped out from a security perspective,
> though I didn't read through your code very thoroughly....
>
>
>> <?php
>>
>> function chkIfPasswordTrue($un, $pw, $typeUser) {
>>
>> //Make username and password in-casesensitive
>> //
>> $un = strtolower($un);
>>
>> $pw = strtolower($pw);
>
>
> Why limit your usernames/passwords to lower case? You've just made them
> significantly easier to brute force.
>
That's a good point. The reason is that our targetgroup users is users with
a little knowledge of computers and therefore it might be easy to miss that
caps-lock is pushed in, and out... and the combination of small and big
letters... But you're right... Probably I'll change this. Thanx!
>
>
>>
>> $sql = $sql . "SELECT IDAnvandare FROM tbanvandare WHERE";
>>
>> $sql = $sql . " Anvandarnamn=" . safeQuote($un) . " AND";
>>
>> $sql = $sql . " Losenord=" . safeQuote($pw) . " AND";
>
>
> Where is your safeQuote() function coming from? From what I can see of
> your code you aren't doing any testing against the username and password
> before they are used as part of your SQL query. Sure would suck to have
> an unauthenticated user drop or otherwise muck with your db!
>
Hm. The safeQuote() function is always called before these functions are
called and is
<?php
function safeQuote($value)
{
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Quote if not integer
if (!is_numeric($value)) {
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
?>
>
>
>> if (isset($_REQUEST["frmUsername"])) {
>>
>> $un = $_REQUEST["frmUsername"];
>
> If you're going to use $_REQUEST you might as well just turn on register
> globals (no, don't!).
*hehe*
>
> If you're expecting a post look for a $_POST, if you're expecting a get
> look for a $_GET. Ditto with cookies. You really need to know where your
> variables are coming from if you want a measure of security.
Yes, you're right. I wrote this code before I came in contact with $_POST
and $_GET. Thanx again! It's appreciated! :-)
/G
http://www.varupiraten.se/
[Back to original message]
|