Page 6 of 27 First ... 4567816 ... Last
  • Jump to page:
    #76
  1. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Originally Posted by derplumo
    what is safer:

    SHA256 or SHA512
    Neither. Instead of fumbling with your own algorithm, use an established and well-tested library like PHPass. The first rule of security is: Don't roll your own.

    The code posted by E-Oreo is great for learning and understanding the concept of salts and iterative hashing, but when it comes to real life, use a library.



    Originally Posted by derplumo
    and an other one, for executing the query I use:

    $query = "SELECT username FROM member WHERE username='$username";
    $result = mysqli_query($cxn,$query)
    or die("Couldn't execute query.");
    Do not insert raw values into query strings.

    It's kind of funny that you worry about SHA-256 vs. SHA-512, while your database code is wide open to SQL injections. That's like spending $10,000 on the security of your front door and then forgetting to lock it.

    Always use prepared statements. Erase this "... WHERE name = $name" stuff from your memory (wherever you got it from).
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  2. #77
  3. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    407
    Rep Power
    8
    thanks but how would you secure your passwords then? and how do I prevent the injections then? like described by the tutorial or an other way?

    I'm rather green in the secure use of php
  4. #78
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    The two links are references, I didn't post them just for fun.

    The "do not insert ..." link even contains a complete example of how to use PHPass. And both this tutorial and my link contain examples of how to use prepared statements. That should be all you need.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  6. #79
  7. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    407
    Rep Power
    8

    thanks!


    thank you
  8. #80
  9. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    what is safer:
    SHA256 or SHA512
    In this application, for all practical purposes they are equivalent in terms of security. SHA512, by virtue of being longer, is less likely to result in collisions. However, the chance of collisions in SHA256 is extremely low already, and the impact of a collision is less significant for password-storage applications than it is for other uses of hashes.

    Both functions come from the same "family" of hash functions, which means that a vulnerability found in one is likely to exist in the other. If a vulnerability is found in the future, then SHA512 could become considered far more secure than SHA256. However, in that situation the whole family would be considered broken and use of any members of the family would not be recommended.

    and an other one, for executing the query I use:

    $query = "SELECT username FROM member WHERE username='$username";
    $result = mysqli_query($cxn,$query)
    or die("Couldn't execute query.");

    $cxn has the connection-information.

    Is the other method (the one in the tutorial here with
    ->execute()) better or this one?
    If $username is properly escaped using mysqli_real_escape_string, then there is no difference in security between the method used in this tutorial and that code. If $username is not properly escaped, then the code you posted contains a SQL injection vulnerability and is far less secure than the code used in this tutorial.

    In general, it is better to stick with the prepared statements method used in this tutorial because you are less likely to make mistakes that result in exploits. Additionally, it is easier for other programmers to see that your code is secure when they read it.


    PHPass is a wrapper for PHP's crypt() function, which can optionally use SHA256 or SHA512 as its underlying algorithm.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  10. #81
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    7
    Rep Power
    0
    Thanks, I have modified the header on the file private.php to this and it works when a load the file thru the explorer once i am logged in:

    PHP Code:
    if(empty($_SESSION['user'])) 
        { 
            
    // If they are not, we redirect them to the login page. 
            
    header("Location: login.php"); 
             
            
    // Remember that this die statement is absolutely critical.  Without it, 
            // people can view your members-only content without logging in. 
            
    die("Redirecting to login.php"); 
        } 
        if(
    $_SESSION['user']['nivel'] != '2'
        { 
            
    // If they are not, we redirect them to the login page. 
            
    header("Location: login.php"); 
             
            
    // Remember that this die statement is absolutely critical.  Without it, 
            // people can view your members-only content without logging in. 
            
    die("Redirecting to login.php"); 
        } 
    But i don`t know how to redirect in the login.php. I did this but i goes to index.php no matter what access level the user has.

    PHP Code:
      $_SESSION['user'] = $row
                
                
    // Redirect the user to the private members-only page. 
                 
    if($_SESSION['user']['nivel'] = '1'
              { 
                   
    header("Location: index.php"); 
                    die(
    "Redirecting to: index.php"); 
                }
                 if(
    $_SESSION['user']['nivel'] = '2'
              { 
                   
    header("Location: index2.php"); 
                    die(
    "Redirecting to: index2.php"); 
                } 
  12. #82
  13. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    A single = is an assignment, a double == is a comparison.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  14. #83
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    7
    Rep Power
    0
    Originally Posted by E-Oreo
    A single = is an assignment, a double == is a comparison.
    In Spanish CUEK. Tha means "daaaa".

    Thanks for the help, It works perfect!!!!
  16. #84
  17. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2013
    Posts
    23
    Rep Power
    0
    Hey, I am fairly new to PHP, and I tried adding user validation to the register.php page. I want to make it so if the user enters something invalid, they get an error and stay on the same page rather then killing the script. I receive all of the errors if the username or email have already been registered, yet do not receive any if the username and email are all ready registered. I know this is something simple, yet i cannot figure it out. Any advice I would greatly appreciate

    PHP Code:
    <?php 
        
    require("common.php"); 
         
        
    $submitted_username='';
        
    $submitted_email='';
        
        if(!empty(
    $_POST)) 
        { 
            
    // Ensure that the user has entered a non-empty username 
            
    if(empty($_POST['username'])===true
            {
                echo(
    'You need to enter a username<br>');
            } 
              
            
    // Ensure that the user has entered a non-empty password 
            
    if(empty($_POST['password'])===true
            { 
                echo(
    'You need to enter a password<br>'); 
            } 
            if (
    $_POST['password']!=$_POST['password_confirmation']){
            
                 echo(
    'Passwords do not match<br>');
            }
            if(!
    filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) 
            { 
                echo (
    'Please enter a valid email address<br>');
            } 
            if(
    preg_match("/^[0-9a-zA-Z_]{6,16}$/"$_POST['username']) === 0){
                echo (
    'Username must be between 6-16 characters long, containing only digits, letters and underscores.<br>');
            }
            if(
    preg_match("/^.*(?=.{6,16})(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z]).*$/"$_POST['password']) === 0){
                echo (
    'Password must be between 6-16 characters and must contain at least one lower case letter, one upper case letter and one digit');
            }
            
            
    $query 
                SELECT 
                    1 
                FROM users 
                WHERE 
                    username = :username 
            "

            
    $query_params = array( 
                
    ':username' => $_POST['username'
            ); 
             
            try 
            { 
                
    // These two statements run the query against the database table. 
                
    $stmt $db->prepare($query); 
                
    $result $stmt->execute($query_params); 
            } 
            catch(
    PDOException $ex
            { 
                die(
    "Failed to run query: " $ex->getMessage()); 
            } 

            
    $row $stmt->fetch(); 

            if(
    $row
            { 
                echo(
    "This username is already in use<br>"); 
            } 
            
    $query 
                SELECT 
                    1 
                FROM users 
                WHERE 
                    email = :email 
            "

             
            
    $query_params = array( 
                
    ':email' => $_POST['email'
            ); 
             
            try 
            { 
                
    $stmt $db->prepare($query); 
                
    $result $stmt->execute($query_params); 
            } 
            catch(
    PDOException $ex
            { 
                die(
    "Failed to run query: " $ex->getMessage()); 
            } 
             
            
    $row $stmt->fetch(); 
             
            if(
    $row
            { 
                echo(
    "This email address is already registered<br>"); 
            } 
            
    $query 
                INSERT INTO users ( 
                    username, 
                    password, 
                    salt, 
                    email 
                ) VALUES ( 
                    :username, 
                    :password, 
                    :salt, 
                    :email 
                ) 
            "
    ;
            
    $salt dechex(mt_rand(02147483647)) . dechex(mt_rand(02147483647)); 
            
            
    $password hash('sha256'$_POST['password'] . $salt); 
            
            for(
    $round 0$round 65536$round++) 
            { 
                
    $password hash('sha256'$password $salt); 
            } 
            
            
    $query_params = array( 
                
    ':username' => $_POST['username'], 
                
    ':password' => $password
                
    ':salt' => $salt
                
    ':email' => $_POST['email'
            ); 
             
            try{
                
    $stmt $db->prepare($query); 
                
    $result $stmt->execute($query_params); 
                
                
    header("Location: login.php");
            die(
    "Redirecting to login.php");
                }
                
             catch(
    PDOException $ex
            {
             
    $submitted_username htmlentities($_POST['username'], ENT_QUOTES'UTF-8'); 
             
    $submitted_email htmlentities($_POST['email'], ENT_QUOTES'UTF-8');
            }    
            
            
            }
            
            
            
        
           
         
    ?> 
    <h1>Register</h1> 
    <form action="register2.php" method="post"> 
        Username:<br /> 
        <input type="text" name="username" value="" /> 
        <br /><br /> 
        E-Mail:<br /> 
        <input type="text" name="email" value="" /> 
        <br /><br /> 
        Password:<br /> 
        <input type="password" name="password" value="" /> 
        <br /><br /> 
        Password Confirmation:<br /> 
        <input type="password" name="password_confirmation'" value="" /> 
        <br /><br /> 
        <input type="submit" value="Register" /> 
    </form>
  18. #85
  19. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2013
    Posts
    1
    Rep Power
    0

    register form in logged in only page


    Hi,

    I'm trying to put the register form inside a page that can only be accessed by a logged in user, the idea being that only people logged in as an administrator (i have added an extra field for user types) can add new user's to the system.


    i am able to submit the form and add the data to the database but when the script has completed , and i get to the part of the script which redirects the user to a different page i encounter the following error

    Warning: Cannot modify header information - headers already sent by (output started at /home/XXXXX/public_html/base/data/newuser.php:36) in /home/XXXXX/public_html/base/data/newuser.php on line 216
    Redirecting to newuser.php?res=UA

    Can anybody help me to fix this error and succesfully redirect the user to newuser.php?res=UA after the register form has been submitted.


    Thanks,
    Matt
  20. #86
  21. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2013
    Posts
    6
    Rep Power
    0
    thanks for the tutorial

    A simple test with wireshark and I'm abel to see the user and password inserted: "username=admin&password=admin&submit=Login"
    How can I improve the security here?

    Thanks
  22. #87
  23. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Originally Posted by metRo_
    How can I improve the security here?
    By using TLS/SSL.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  24. #88
  25. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2013
    Posts
    6
    Rep Power
    0
    Originally Posted by Jacques1
    By using TLS/SSL.
    Thanks

    See the login details using wireshark will only be able if all the users are in a ethernet network or an unsecure wireless network, right?
  26. #89
  27. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2013
    Posts
    6
    Rep Power
    0
    If I calculate the hash in the client side will it be more secure? the hacker will can see that but at least doesn't know the password of the user to try in other sites.
  28. #90
  29. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    See the login details using wireshark will only be able if all the users are in a ethernet network or an unsecure wireless network, right?
    The traffic is visible to your local area network and any routers or gateways that it passes through on the way to or from the destination server.

    If I calculate the hash in the client side will it be more secure? the hacker will can see that but at least doesn't know the password of the user to try in other sites.
    No. If security of the information while it is in transit is an issue, you need to use TLS/SSL (https). That is the only accepted solution for this particular security issue. Client side hashing using JavaScript serves no useful purpose as far as security is concerned.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
Page 6 of 27 First ... 4567816 ... Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo