secure register / login - PHP Server Side Scripting forum at WebmasterWorld - WebmasterWorld

Forum Moderators: coopster

Message Too Old, No Replies

secure register / login

what is the best way?

John_Keates

11:12 am on Jun 5, 2005 (gmt 0)

10+ Year Member

Got a little security problem...

I am building my own login/register script with php 5 and mysqli database. It works fine but there are sucrity related problems:

- the input is not checked at registering
- there is no protection to stop registering over an existing user
- the input is only strip_tags filtered cuz I don't know other way's to filter

-more more more

The little help I need is little script that checks for length, valid characters, html/php/sql commands, already existing users

what I've got:

<?php
if(isset($_POST['go']) && isset($_POST['action'])) {

//option:

/*
$fullname = htmlentities($_POST['fullname']);
$mailad = htmlentities($_POST['mailad']);
$pass1 = htmlentities($_POST['pass1']);
$pass2 = htmlentities($_POST['pass2']);
$nickname = htmlentities($_POST['nickname']);
*/

//or

$fullname = strip_tags($_POST['fullname']);
$mailad = strip_tags($_POST['mailad']);
$pass1 = strip_tags($_POST['pass1']);
$pass2 = strip_tags($_POST['pass2']);
$nickname = strip_tags($_POST['nickname']);

//database input
include("../mysqli_connect.inc.php");

//format
//(id, uname, pass, email, key, full_name)

$sql = "INSERT INTO user_id VALUES ('', '$nickname', '$pass1', '$mailad', '', '$fullname')";

//format
// (id, nickname, funtion, content)

$sql2 = "INSERT INTO user_stat VALUES ('', '$nickname', 'last_logon', '')";
$sql3 = "INSERT INTO user_stat VALUES ('', '$nickname', 'last_logoff', '')";
$sql4 = "INSERT INTO user_stat VALUES ('', '$nickname', 'login_count', '')";
$sql5 = "INSERT INTO user_stat VALUES ('', '$nickname', 'logout_count', '')";

echo $mysqli->query($sql);
echo "<BR>";
echo $mysqli->query($sql2);
echo "<BR>";
echo $mysqli->query($sql3);
echo "<BR>";
echo $mysqli->query($sql4);
echo "<BR>";
echo $mysqli->query($sql5);
echo "<BR>";

$mysqli->close();

}else{
echo "Input fault";
};

?>

I know this is very unsecure but I can't help it, I don't know how to use things such as ereg( ), trim( ), str functions

J

mcibor

12:30 pm on Jun 5, 2005 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

you don't need to strip tags, as you don't post them. With database use

$fullname = mysql_escape($_POST["fullname"]);

or even better strip all the ', ", \, / and %

function my_var($var){
$from = array("'", "\"", "\\", "/", "%");
$to = "";
if(!isset($_POST[$var])) return false;
if(empty(trim($_POST[$var]))) return false
return str_replace($from, $to, $_POST[$var]);}

To get the value just:
$fullname = my_var("fullname"); //you can also write if(!$fullname = ..) echo "Please input your fullname"; etc

Hope this will help you somehow
Michal Cibor

mcibor

5:52 pm on Jun 5, 2005 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Moreover make a validation in javascript and php. To check the length of the password use
if(strlen($pass1) < 8)) { echo "The password must have at least 8 characters"; //rewrite the form}
check if $pass1 == $pass2
check if there are no records with that username in db:
$sql = "SELECT username FROM table WHERE username='$username';"
$query = mysql_query($sql) or die(mysql_error());
if(!mysql_num_rows($query)) //this username is used

moreover DON'T PUT PASSWORD IN PLAIN TEXT! Always hash it!:
$sql = "INSERT INTO user_id VALUES ('', '$nickname', '".md5($pass1)."', '$mailad', '', '$fullname')";

And I think that would be it.
Best regards
Michal Cibor

PS. Use google to search the webmasterworld for ready login scripts and add user scripts and learn from them.

John_Keates

7:15 pm on Jun 9, 2005 (gmt 0)

10+ Year Member

Thank you, now I know what I needed to know :-)

John

pauluskc

8:50 pm on Jun 9, 2005 (gmt 0)

10+ Year Member

on existing users, you're going to have to choose the piece of identifying information and work with that.

I use the email address, but in your case, the nickname might be the key. Your choice.

2 ways to do it really.

1) If you have a primary or unique key setup on the "user_id" table, check the result of the insert query on that table... (this is fastest, but requires that field be unique/primary key)

----------------------------------

if ($mysqli->affected_rows > 0) {

(.. other insert sql statements ..)

} else {

echo("ERROR, DUPLICATE USERNAME!");

}

----------------------------------

or 2) select from the user_id table before inserting and making sure that the record doesn't exist.

This method may be better on larger databases because select statements don't lock typical MyISAM mysql database tables, while doing an insert does - many people registering at once will slow down the system in the end.

PLUS, you might want to consider using just one row in the user_stat table with those four different stats in one row. Much more efficient for just doing counts of events like you are.

PLUS PLUS, if you allow them to change their nicknames, in the user_stat table you should refer to the id from the user_id table instead of their nickname, otherwise you'll have to update both tables if they make a change.

John_Keates

9:28 pm on Jun 9, 2005 (gmt 0)

10+ Year Member

Well, I user 2 tables: user_stat and user_id

One holds the pass, user, name
the other the profile and other stuff like counters, last log in/out and email, adress etc..

If the user doesn't exists in user_id I should be created if not error (ok so far) but if the error echoes, shall I user exit() to stop the script or a big if() statement around the whole sql insert?