Login form is driving me insane.

[tidenburg]

Hi all i have this code
(exluding HTML) i made from scratch:

PHP Code:

<?php 
session_start();
$email = $_SESSION['email'];
$showemail = $_SESSION['showemail'];
$loggedin = $_SESSION['loggedin'];
$userlevel = $_SESSION['userlevel'];
$username = $_POST['username'];
$password = $_POST['password'];
$DBuser = '*****_****';
$DBpass = '******';
mysql_connect('*****',$DBuser,$DBpass) or die ("Sorry but I couldnt connect.");
mysql_select_db("*****_*****") or die("I couldnt select the database. It may be missing");
$getUsers = mysql_query("SELECT * FROM `*****` WHERE `username` = '$username' AND `password`='$password' LIMIT 0 , 100;");
$num_Users = mysql_num_rows($getUsers);
if($num_Users == 1){
$_SESSION['loggedin'] = true;
$_SESSION['email'] = mysql_result($getUsers,0,'email');
$_SESSION['$showemail'] = mysql_result($getUsers,0,'showemail');
$_SESSION['$userlevel'] = mysql_result($getUsers,0,'level');
$_SESSION['$username'] = $username;
}
?>
<?
if($_SESSION['loggedin'] == true){
echo("Thanks ". $_SESSION['$username'] ." Your logged in as a ");
echo(mysql_result($getUsers,0,'level'));
} else {
echo("Wrong credentials");
}
 ?>

After it gets the data from the form it then validates the login. It then sets the session credentials so the blog knows whether to display the users email what thier email is etc. However after some time the username credential gives out leaving blog entries with a blank username. Why does the username entry remain but everything else stay?
I thought it was the Session expiring but i know it cant be because otherwise all of the things would expire and not just one.

[Musicman]

Hi,

why are you using $_SESSION['$userlevel'] instead of $_SESSION['userlevel']?

Musicman

[baileys]

One error I can see is you have a semicolon after your LIMIT 0, 100. That will kill the SQL query.

However security wise your code is not good. You're taking external data and putting it straight into a database query (the username and password), and to add to that why the Limit of the first 100 records? Surely the user will only have one record with you? Besides the fact that you only check the first one anyhow.

You need to secure your data, ideally using mysql_real_escape_string() which you can read up on at php.net. Then change the limit to LIMIT 1. Afterall, once it's found one record it can stop.

[tidenburg]

musicman - i realised this and changed it.
baileys - ive been asking after php form security for some time but to no avail thanks im on php.net now

[Musicman]

Hi,

comment to baileys: on most servers php is configured to silently escape parameters received from the web, so they would be mostly harmless when used for sql queries.

Musicman

[baileys]

You should never rely on magic quotes being on, especially on shared hosting as your host could switch them off at any moment (when they realise how bad they are hopefully) and to be honest I wouldn't rely on the simple function of addslashes (which magic quotes essentially is) to escape my data. If magic quotes was good enough, why would the PHP manual have this function on their site?

PHP Code:

// Quote variable to make safe
function quote_smart($value)
{
   // Stripslashes
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }
   // Quote if not a number or a numeric string
   if (!is_numeric($value)) {
       $value = "'" . mysql_real_escape_string($value) . "'";
   }
   return $value;
} 


Where you can see they remove the work of magic quotes if it's running. Here is the page of the manual - http://uk2.php.net/mysql_real_escape_string

And regardless of whether Magic Quotes are on or off, people should still be made away of their code and the issues it could cause.

[tidenburg]

ok so should i run all of my $_POST variables throught that function?

[tidenburg]

:bump:

[baileys]

you should run all external variables through that function ie. get, post, cookie, session etc. someone could edit a cookie to inject your sql. Don't believe that a checkbox is safe either, as someone could post to the script from another source and the checkbox name is used but it's not holding a yes or no value.

So yes, use that function for everything that is going to go into an SQL command. Just remember, the function cannot be used before you connect to the database, ie. there has to be a current mysql connection running. I tend to do this first.

[Musicman]

Hi,

here is a quote from the mysql manual:
Characters encoded are NUL (ASCII 0), ‘\n’, ‘\r’, ‘\’, ‘'’, ‘"’, and Control-Z (see Section 9.1, “Literal Values”). (Strictly speaking, MySQL requires only that backslash and the quote character used to quote the string in the query be escaped.
So php is just doing the right thing. It could happen, however, that an admin changes the server config.

Musicman

[baileys]

Okay, addslashes was created by the PHP writers, the mysql_real_escape_string created by the MySQL writers for PHP users. Each to their own of course but I'd stick with the function created by the people who wrote the database software.

Also. A site explaining how addslashes can be beaten...
http://shiflett.org/archive/184

Admittedly there has been a debate going round about one vs the other however the mysql function escapes the additional characters as you mentioned, but escapes them in the right way instead of adding a backslash.

The plus of using the function is that you don't need stripslashes on the output, whereas you do with addslashes. I've seen plenty of sites not realise this and the backslashes everywhere doesn't look pretty, plus it bloats your code and is less easy to read.

However, regardless of the function chosen, the function above still needs to be used in some form to check if magic quotes are on first. My own host has them switched off thankfully, but I still use the function above for portability.

Anyhow, all that aside. Did the login form work tidenburg?!

[tidenburg]

yeah. I think i may have also had another page clearing the username variable.
I havnt added the function to my username form yet but my blog comment form has it. However i dont see what it does exactly. I can still type all special characters and they are put into the mysql command.
www.insite-world.com/login.php
username: Tester
pass: test

[Musicman]

Hi,

you still can insert ' into a username (and probably the entire thing is not necessary if ' and a few more characters are disallowed in ANY input - but you probably want them in comments, just not in usernames)
The problem is: if ' gets into a sql query as is, it just finishes a string.
Consider
.... and password = '$password'
Now, assume that $password, as supplied by the visitor, was
secret';delete from users;--
So your complete query would become
.... and password = 'secret';delete from users;--'
This is what commonly is called sql injection, and the quoting is a counter measure

Musicman

[tidenburg]

so does that function that was posted stop the ' character?

[baileys]

addslashes will escape the single quote (aswell as other characters) ie. put a backslash before each quote which tells mysql (and php) to ignore the backslash and treat the following character as plain text. the mysql function encodes the single quote (as well as other characters) so that when it's read by mysql it's read as a single quote in it's character code and treated like plain text.

I'm not sure if I can post up a link to my own blog post on SQL Injections but if I can and you want to read further which expands on Musicman's example above, then my post is at http://www.sarahfreelance.co.uk/2006...ql-injections/

If I can't post the link apologies and to any mod, feel free to remove it.