Re: A Review Request

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Alex,

Two (stupid?) questions:
1. Why PHP_SELF is better than SCRIPT_NAME?
2. Why strcmp() is better than just comparing?

-- 
With best regards from Ukraine,
Andre
Skype: Francophile
My blog: http://oire.org/menelion (mostly in Russian)
Twitter: http://twitter.com/m_elensule
Facebook: http://facebook.com/menelion

------------ Original message ------------
From: Alex Nikitin <niksoft@xxxxxxxxx>
To: PHP General
Date created: , 9:29:35 PM
Subject:  A Review Request


      
I will try to respond to the original question.

Note: this is constructive criticism, so i wont do much in terms of praising
the good parts

It works, its very primitive, in some ways its pretty insecure, for example
it provides no session hijacking protection, it's not written with the
better of standards in mind, for one if you do store your password in code,
you shouldn't store your password in clear text, that way if say i was able
to bypass php execution and dumped that file out, i would still not have a
useable password, so use a hash. There is no timing out or attempt
management, for example i can write a 5 line-long brute script that will
just pound your script with user ids and passwords, you should make it at
least somewhat difficult for me to do that ;)

Also don't declare a bunch of needless variables for their one-time use,
don't compare unsanitized strings with a binary unsafe operator, server
variables contain link to current script, here are examples of what i mean:

-$self = basename($_SERVER['SCRIPT_NAME']);
+$self = $_SERVER['PHP_SELF'];


-$submit = isset($_POST['submit']) ? $_POST['submit'] : null;
-if($submit == 'Submit')

+if($_POST)


-$pw = 'pw'; // define your password here
-$user_id = isset($_POST['user_id']) ? $_POST['user_id'] : null;
-$password = isset($_POST['password']) ? $_POST['password'] : null;
-if (($user_id == $id) AND ($password== $pw))

+$pw='1a91d62f7ca67399625a4368a6ab5d4a3baa6073'; //sha1 hash of the
password: php -r "echo sha1(\"pw\");"
+if (@strcmp($id, $_POST['user_id']) == 0 && strcmp($pw,
sha1($_POST['password'])) == 0)



-- Alex --
--
The trouble with programmers is that you can never tell what a programmer is
doing until it’s too late.  ~Seymour Cray



On Wed, May 18, 2011 at 3:22 PM, tedd <tedd@xxxxxxxxxxxx> wrote:

> Hi gang:
>
> I am considering providing PHP code to the general public via my website
>
> This is my first attempt:
>
> http://sperling.com/php/authorization/
>
> What do you people think?
>
> Cheers,
>
> tedd
>
> --
> -------
> http://sperling.com/
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux