Hello Alex, Two (stupid?) questions: 1. Why PHP_SELF is better than SCRIPT_NAME? 2. Why strcmp() is better than just comparing? -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion ------------ Original message ------------ From: Alex Nikitin <niksoft@xxxxxxxxx> To: PHP General Date created: , 9:29:35 PM Subject: A Review Request I will try to respond to the original question. Note: this is constructive criticism, so i wont do much in terms of praising the good parts It works, its very primitive, in some ways its pretty insecure, for example it provides no session hijacking protection, it's not written with the better of standards in mind, for one if you do store your password in code, you shouldn't store your password in clear text, that way if say i was able to bypass php execution and dumped that file out, i would still not have a useable password, so use a hash. There is no timing out or attempt management, for example i can write a 5 line-long brute script that will just pound your script with user ids and passwords, you should make it at least somewhat difficult for me to do that ;) Also don't declare a bunch of needless variables for their one-time use, don't compare unsanitized strings with a binary unsafe operator, server variables contain link to current script, here are examples of what i mean: -$self = basename($_SERVER['SCRIPT_NAME']); +$self = $_SERVER['PHP_SELF']; -$submit = isset($_POST['submit']) ? $_POST['submit'] : null; -if($submit == 'Submit') +if($_POST) -$pw = 'pw'; // define your password here -$user_id = isset($_POST['user_id']) ? $_POST['user_id'] : null; -$password = isset($_POST['password']) ? $_POST['password'] : null; -if (($user_id == $id) AND ($password== $pw)) +$pw='1a91d62f7ca67399625a4368a6ab5d4a3baa6073'; //sha1 hash of the password: php -r "echo sha1(\"pw\");" +if (@strcmp($id, $_POST['user_id']) == 0 && strcmp($pw, sha1($_POST['password'])) == 0) -- Alex -- -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Wed, May 18, 2011 at 3:22 PM, tedd <tedd@xxxxxxxxxxxx> wrote: > Hi gang: > > I am considering providing PHP code to the general public via my website > > This is my first attempt: > > http://sperling.com/php/authorization/ > > What do you people think? > > Cheers, > > tedd > > -- > ------- > http://sperling.com/ > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php