Page 2 of 2 First 12
  • Jump to page:
    #16
  1. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,910
    Rep Power
    1045
    The strange as it may sound, but if your "hacker" friend motivates you to keep your system secure, that's actually a good thing. Many programmers don't take care of their security at all, because they simply aren't aware of the danger, or they think nobody cares about their website.

    Don't let your friend scare you, though. A lot of those wannabe "hackers" are just loudmouths. If you want a serious code review, you can write me a personal message.
  2. #17
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2013
    Posts
    12
    Rep Power
    0
    okay guys, i've updated the code a bit, sorry for taking so long, i'm busy with school, anyways here's the login script:
    PHP Code:
    <?php
        
        
    if(isset($_POST['_submitbtn'])){
            
            
    $username $main->escape($_POST['_usr_name']);
            
            
    $password $main->escape($_POST['_usr_pass']);
            
            if(!empty(
    $username) && !empty($password)){
                
    $hashedPass sha1(md5($password));
                
    $ifExists $main->db->prepare("SELECT * FROM users WHERE username=? AND password=?");
                
                
                
                
                
    $ifExists->bind_param('ss'$username$hashedPass);
                
                
    $ifExists->execute();
                
                
    $loginResults $ifExists->get_result();
                
                if(
    $loginResults->num_rows 0){
                    
                    
    $getUserInfo $loginResults->fetch_assoc();
                    
                    
                        
    header("Location:membersonly.php");
                        
    $_SESSION['logintrue'] = $main->sessionisset();
                        
    $_SESSION['username'] = $getUserInfo['username'];
                        
                        
                        
                    
                    
                    
                    
                }else{
                    die(
    "user doesnt exists!");
                }
                
                
                
            }else{
                die(
    "you cannot leave fields empty");
            }
            
            
        }
        
        
    ?>
    and here's the register:

    PHP Code:


    <?php
        
        
        
    if(isset($_POST['registerbtn'])){
            
            
    $regusername $main->escape($_POST['_regusrname']);
            
    $regpassword $main->escape($_POST['_regpasswrd']);
            
    $regrepassword $main->escape($_POST['_regrepasswrd']);
            
    $regemajl $main->escape($_POST['_regemjl']);
            
            if(!empty(
    $regusername) && !empty($regpassword) && !empty($regrepassword) && !empty($regemajl)){
                
                
    $ifUserExists $main->db->prepare("SELECT username FROM users WHERE username=?");
                
    $ifUserExists->bind_param('s'$regusername);
                
    $ifUserExists->execute();
                
    $ifExists $ifUserExists->get_result();
                if(
    $ifExists->num_rows 0){
                
                    die(
    "username exists!");
                
                }
                
                
    $ifEmailExists $main->db->prepare("SELECT mail FROM users WHERE mail=?");
                
    $ifEmailExists->bind_param('s'$regemajl);
                
    $ifEmailExists->execute();
                
    $ifExistsE $ifEmailExists->get_result();
                if(
    $ifExistsE->num_rows 0){
                
                    die(
    "e-mail exists!");
                
                }
                
                
                
                if(
    filter_var($regemajlFILTER_VALIDATE_EMAIL) === false){
                    
                    die(
    "e-mail invalid");
                    
                }
                
                
                if(!
    preg_match('/^[a-z\d_]{2,20}$/i'$regusername)) {
                    die(
    "username is invalid");
                 }
                 
                 
                 if(
    $regpassword == $regrepassword){
                    
                    
    $passwordhashed sha1(md5($regpassword));
                    
                    
    $userSuccess $main->db->prepare("INSERT INTO users(username, password, mail, ip_reg) VALUES(? , ? , ? , ?)");
                    
    $userIP $_SERVER['REMOTE_ADDR'];
                    
    $userSuccess->bind_param('ssss'$regusername$passwordhashed$regemajl$userIP);
                    
                    
    $userSuccess->execute();
                    
                    echo 
    $main->returnMessage('you have successfully registred!');
                    
                    
                 }else{
                    die(
    $main->returnMessage('passwords doesnt match'));
                 }
                
                
                
                
            }else{
                die(
    $main->returnMessage('You cannot leave fields empty'));
            }
            
        }
        
        
    ?>

    is it all secure? or should i change something, what do you think?
  4. #18
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,910
    Rep Power
    1045
    You're still using weak password hashes. And you're still escaping the statement parameters.

    When you use prepared statements, you do not need to escape the variables. In fact, you must not do that, because it will corrupt the input. You will end up with literal backslashes in your database. The only reason for escaping variables is to securely insert them into a query string. Since you no longer do that, the escaping has become wrong.

    I repeat: You must not escape the input of a prepared statement. Remove all the $main->escape() calls.

    I suggest you take some days to read up on security basics and fix your code completely. Don't rush it. It doesn't make a lot of sense to go back and forth with unfinished code.
  6. #19
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2013
    Posts
    12
    Rep Power
    0
    Originally Posted by Jacques1
    You're still using weak password hashes. And you're still escaping the statement parameters.

    When you use prepared statements, you do not need to escape the variables. In fact, you must not do that, because it will corrupt the input. You will end up with literal backslashes in your database. The only reason for escaping variables is to securely insert them into a query string. Since you no longer do that, the escaping has become wrong.

    I repeat: You must not escape the input of a prepared statement. Remove all the $main->escape() calls.

    I suggest you take some days to read up on security basics and fix your code completely. Don't rush it. It doesn't make a lot of sense to go back and forth with unfinished code.
    okay, thank you. i'll fix it now.
  8. #20
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2013
    Posts
    58
    Rep Power
    1
    What Jacques1 means is you should, instead of
    PHP Code:
    $hashedPass sha1(md5($password)); 
    do
    PHP Code:
    $hashedPass=password_hash($passwordPASSWORD_DEFAULT); 
    or
    PHP Code:
    $hashedPass=password_hash($passwordPASSWORD_BCRYPT); 
    Later on, when you want to match the password against the hash you created, you do
    PHP Code:
    if(password_verify($password$hashedPass)){


    By the way, in your registration process, do you actually verify the email address is a real existing email that can receive emails? Not sure if that's important to you or not, but it's something to think about.
  10. #21
  11. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,910
    Rep Power
    1045
    The password functions you mention aren't available in PHP < 5.5. They require a library like password_compat or PHPass.

    But it's all explained in the link above.
  12. #22
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2013
    Posts
    12
    Rep Power
    0
    Originally Posted by aysiu
    What Jacques1 means is you should, instead of
    PHP Code:
    $hashedPass sha1(md5($password)); 
    do
    PHP Code:
    $hashedPass=password_hash($passwordPASSWORD_DEFAULT); 
    or
    PHP Code:
    $hashedPass=password_hash($passwordPASSWORD_BCRYPT); 
    Later on, when you want to match the password against the hash you created, you do
    PHP Code:
    if(password_verify($password$hashedPass)){


    By the way, in your registration process, do you actually verify the email address is a real existing email that can receive emails? Not sure if that's important to you or not, but it's something to think about.
    yea, i will add that, thank you!
  14. #23
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2013
    Posts
    12
    Rep Power
    0
    hello guys! i've stopped coding php now, because there's just too many idiots in this world which depresses me. Thank's everyone for helping me.
    But i've started with java again.
    goodbye
  16. #24
  17. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,910
    Rep Power
    1045
    Um, what? Who are the idiots? And why on earth do you turn to Java if you want to escape idiocy?
  18. #25
  19. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2013
    Posts
    12
    Rep Power
    0
    because none of those idiots knows java
  20. #26
  21. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,910
    Rep Power
    1045
    So the "idiots" are the people trying to attack your PHP code?
Page 2 of 2 First 12
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo