Andy,
Thanks for your comment. What I posted is only part of my code though,
as the entire thing is a bit long, and with all the includes rather hard
to follow unless I posted the whole file set. Above the piece I posted I
have code to do slashing, and some MD5 hashing, as well enforcing string
lengths. So the $password I use in the query is actually MD5 hashed
already. I know I need to improve the security though, as my current
code do not counter for every possible attack, so your input is much
appreciated.
sublimino@xxxxxxxxx wrote:
Could I recommend a more secure approach:
1) using two hashes to protect the data (in case the database is
compromised they are both one-way hashes, and using two protects
against collision attacks whereby a different password string
generates the same hash as the original password)
2) escaping user input to protect against SQL injection attacks (nasty
queries can get more data from the database than your original query
intended, or change the query's intended functionality).
Instead of:
$chkuserquery = "SELECT userID
FROM $TB_USERS
WHERE `loginID`='$loginID' AND `password`='$password'
LIMIT 1";
$chkuser = $db->query($chkuserquery);
This example utilises the mdb2 database layer:
$user_credentials = array( //these are the credentials the user supplied
'user_name' => addslashes($username), //escape username input
'user_password_md5' => md5($password), //generate hash, no
injection is posisble
'user_password_sha1' => sha1($password) //due to 'scrambling' of string
);
foreach ($user_credentials as $k => $v) { //build string
$query_values .= $k . '=' . $db->quote(trim($v)) . ' AND ';
}
$query_values = '(' . substr($query_values, 0, -5) . ')'; //format
string and remove AND
$sql = "SELECT COUNT(user_id) AS user_count FROM user WHERE $query_values";
$result = $db->query($sql);
//this if not only returns a row from the database query, it then
checks if the user_count
//field contains more than one or more results. if so, login is correct
if (($row = $result->fetchRow(MDB2_FETCHMODE_ASSOC)) && $row['user_count']){
$valid_login = true;
//session -> database etc
}
for this example, using 'root' and 'password', $query_values is:
(user_name='root' AND
user_password_md5='5f4dcc3b5aa765d61d8327deb882cf99' AND
user_password_sha1='5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8')
This code is identical in functionality to the previous example,
except the query has no LIMIT - this is not required as it prevents
the possibility of coding error handling for multiple accounts
(perhaps unnecessary, excepting very secure applications).
Andy
--
Rene Brehmer
aka Metalbunny
We have nothing to fear from free speech and free information on the
Internet but pop-up advertising!
http://metalbunny.net/
References, tools, and other useful stuff...
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
