1. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    451
    Rep Power
    8
    I've found this, they claim it could get the real IP from the client, even through the proxy:
    PHP Code:
    function get_ip_address() {
        foreach (array(
    'HTTP_CLIENT_IP''HTTP_X_FORWARDED_FOR''HTTP_X_FORWARDED''HTTP_X_CLUSTER_CLIENT_IP''HTTP_FORWARDED_FOR''HTTP_FORWARDED''REMOTE_ADDR') as $key) {
            if (
    array_key_exists($key$_SERVER) === true) {
                foreach (
    explode(','$_SERVER[$key]) as $ip) {
                    if (
    filter_var($ipFILTER_VALIDATE_IP) !== false) {
                        return 
    $ip;
                    }
                }
            }
        }

    see also: http://www.kavoir.com/2010/03/php-ho...-visitors.html
  2. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by derplumo
    ... what to do...
    You cannot do anything -- unless you require your users to send a copy of their ID card or driver's licence or at least call them personally.

    And that's a good thing. Would you want anybody to be able to track you and identify you? I don't.

    Like I said, you can track average visitors that don't have a lot of technical knowledge. You cannot track experienced users. And the better the tracking technique, the more you annoy your users and violate their privacy.

    Make a cookie, store an identifier in local storage and possibly set up a registration form. That's it.



    Originally Posted by derplumo
    And unfortunatly, I have to use the PHP (when we talked about the triggers), I've to use phpmyadmin... how do I do that?
    Simply set "active" to 0 for all existing requests of the user before you insert a new request.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  3. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    451
    Rep Power
    8
    ok thank you very much, i'm learning every minute, but the reset_key is a random token, can I use the RNG (last posted, original) for that?

    And 'active' is set 0 every time you insert a new row, but why is this? I don't get it completely I think.

    Can you also please give a code how I can get a user's IP, a lot of people want to validate the real IP so the code isn't only to get the readable IP.
    Last edited by derplumo; April 19th, 2013 at 02:59 PM.
  4. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by derplumo
    but the reset_key is a random token, can I use the RNG (last posted, original) for that?
    Yes, that's the whole purpose of it.



    Originally Posted by derplumo
    And 'active' is set 0 every time you insert a new row, but why is this? I don't get it completely I think.
    You never want more than one request token being active at the same time, because this would obviously increase the risk of somebody guessing or stealing it.

    So sending 10 reset requests one after another should not result in 10 tokens waiting to be used. Instead, every new request shoud invalidate all previous ones.



    Originally Posted by derplumo
    Can you also please give a code how I can get a user's IP, a lot of people want to validate the real IP so the code isn't only to get the readable IP.
    I already tried to explain that you cannot reliably identify users, not even their "real" IP address. No matter how hard you try.

    When a visitor uses a proxy server, the only authentical IP address you get is the IP of the server. The server may choose to inform you about the original IP address by sending it through a header (that's what the code above fetches), but this information is purely optional, and there's no way to verify it. Anonymous proxies obviously do not send the original IP, because this would defeat their whole purpose.

    Yes, you can try your best and check all kinds of headers. For the average visitor you'll get a good success rate (just like with the cookies). But if somebody wants to stay anonymous and circumvent your protection, he/she can do that any time with no effort. There's nothing you can do about that.

    If you wanna discuss this further, please create a new thread, because this is a very different topic.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  5. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    451
    Rep Power
    8
    ok thank you, so I can delete the request_ip column from the table `responses` right?

    Because when the normal person asks for the reset, this would be an excess, and when the 'bad' person wants to reset the password, he would use the proxy. So the request_ip is useless...
  6. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    1
    Rep Power
    0
    i have a issue my roomate cant log onto the site with this code can you tell me how to fix it? it keeps redirecting him to the login page when he trys to log in
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by derplumo
    So the request_ip is useless...
    No, because it's not meant to reliably identifier an attacker or something. It's an indicator for anomalies, and it allows further analysis of possible attacks.

    If you get a reset request from China for a user living in the USA, that would be suspicious. It doesn't mean you can track down the actual person who has made the request. It doesn't even mean there is a problem. Maybe the user is on a business trip or simply uses a Chinese proxy. But information like that is worth being stored.

    This is even more important for logins. A massive amount of failed login attempts from a particular IP address points to a brute force attack. Whether the IP is "real" or just a proxy doesn't matter.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  8. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,316
    Rep Power
    7171
    The only situation when this is false is when /dev/urandom has run out of entropy.
    While that may be true in the current implementation, the specifications do not state that the function only returns false when /dev/urandom has run out of entropy. Specifically, the specifications for the parameter say:
    this will hold a boolean value that determines if the algorithm used was "cryptographically strong", e.g., safe for usage with GPG, passwords, etc. TRUE if it did, otherwise FALSE
    It would be entirely within the specifications of this function for it to return false for some reason other than /dev/urandom having run out of entropy, and even if it does not do so now, it could do so in the future. Additionally, since this particular parameter relies directly on the value returned from the OpenSSL library, any change to the behavior of OpenSSL would directly affect the PHP function as well - possibly without the PHP maintainers even knowing it.

    The specifications for the function specifically state that the result is not safe to use for passwords if $crypto_strong is false, and it is irresponsible to not check the value when the entire purpose of the function is to generate a value to use for passwords.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Like the author of the library points out, the salt doesn't need to be perfectly random. Only random enough to be unique and not predictable (under normal circumstances). And that's exactly what the underlying OpenSSL function RAND_pseudo_bytes() does.

    Actually, if you're after very strong random numbers, a fallback to /dev/urandom would make even less sense, because it doesn't guarantee perfect randomness either. You'd have to read from /dev/random and block the registration form if there's not enough entropy.

    The PHP documentation isn't very useful in that case. What do they even mean by "passwords"? Generating a password? Encrypting it? Generating a salt for hashing the password? Could be anything.

    Anyway, I think it's generally a good idea to not touch cryptographic libraries. If you're sure the author has made as mistake, why not make a pull request and have the change approved by him?
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  10. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    8
    Rep Power
    0
    excellent codes
    thanks.

    let me emphasize little on security.
    this code uses session_start which suggests vulnerabilities like
    1 session fixations
    2 session hijacking
    3 brute force attack since login attempt is not updated

    thanks.
  11. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    451
    Rep Power
    8
    Jacques, instead of using a trigger to deactivate all the previous tokens, maybe I could use this code:
    PHP Code:
    $query "SELECT 1
    FROM responses
    WHERE id = :id
    "
    ;

    $query_params = array(  
    ':id' => $_POST['id']  
    );  

    $stmt $db->prepare($query);  
    $result $stmt->execute($query_params);

    $row $stmt->fetch();
    if(
    $row 1)
    {

    $query "UPDATE responses
    SET token = :token
    WHERE id = :id"
    ;


    $query_params = array(  
    ':id' => $_POST['id'],
    ':token' => $token
    );

    $stmt $db->prepare($query);
    $result $stmt->execute($query_params);  


  12. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    That makes no sense to me. Why does the ID come from the POST data? Why did you go back to your old table design?
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  13. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    451
    Rep Power
    8
    whoops, sorry, I forgot to put the variables in the url, but except that, is it good?

    I'm working on a new version. Now i'm going to put the variables in the url.

    Then I think we're done for this script, or I may have missed something. I will post the definitive password recovery scripts when ready.
    Last edited by derplumo; April 24th, 2013 at 04:10 PM.
  14. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    1
    Rep Power
    0
    Hello, first of all, my english is bad, but im gonna try to explain as good as i can.

    I have been following your tutorial and i cant get it to work. first of all should i set every page with doctype, head and body tag? i have atleast put those tags in the register and login file. but i got broken links. when launchng the site at localhost. i have also created a table in mysql on one.com's webserver. i would be greatful for help! thank you
  15. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    451
    Rep Power
    8
    ok, I think I am at the last piece of my scripts... I now only have to let the tokens expire, but how do I do this, it just doesn't seem to work with me...

IMN logo majestic logo threadwatch logo seochat tools logo