----- Original Message -----
From: "Ben" <ben@xxxxxxxxxxxxxxxxx>
Newsgroups: php.general
To: "Gustav Wiberg" <gustav@xxxxxxxxxxxxxx>
Sent: Wednesday, September 14, 2005 7:35 PM
Subject: Re: trying to figure out the best/efficient way to tell who
is logged into a site..
Gustav Wiberg wrote:
All you guys, please comment if the code is well or bad written and
why... :-)
Since you asked, a few things popped out from a security perspective,
though I didn't read through your code very thoroughly....
<?php
function chkIfPasswordTrue($un, $pw, $typeUser) {
//Make username and password in-casesensitive
//
$un = strtolower($un);
$pw = strtolower($pw);
Why limit your usernames/passwords to lower case? You've just made them
significantly easier to brute force.
That's a good point. The reason is that our targetgroup users is users with
a little knowledge of computers and therefore it might be easy to miss that
caps-lock is pushed in, and out... and the combination of small and big
letters... But you're right... Probably I'll change this. Thanx!
$sql = $sql . "SELECT IDAnvandare FROM tbanvandare WHERE";
$sql = $sql . " Anvandarnamn=" . safeQuote($un) . " AND";
$sql = $sql . " Losenord=" . safeQuote($pw) . " AND";
Where is your safeQuote() function coming from? From what I can see of
your code you aren't doing any testing against the username and password
before they are used as part of your SQL query. Sure would suck to have
an unauthenticated user drop or otherwise muck with your db!
Hm. The safeQuote() function is always called before these functions are
called and is
<?php
function safeQuote($value)
{
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Quote if not integer
if (!is_numeric($value)) {
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
?>
if (isset($_REQUEST["frmUsername"])) {
$un = $_REQUEST["frmUsername"];
If you're going to use $_REQUEST you might as well just turn on register
globals (no, don't!).
*hehe*
If you're expecting a post look for a $_POST, if you're expecting a get
look for a $_GET. Ditto with cookies. You really need to know where your
variables are coming from if you want a measure of security.
Yes, you're right. I wrote this code before I came in contact with $_POST
and $_GET. Thanx again! It's appreciated! :-)
/G
http://www.varupiraten.se/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php