I cannot believe that no one with alot of PHP and MySQL experience has not
replied to this post yet.  Is PHP not a secure scripting language?  I would
really like a little insight into this question, anyone?

"Jas" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I posted this yesterday and did not get any response at all?  Just
wondering
> if someone can give me some insight into some security measures for a
> content management application...
>
> Posted 06/05/2002
> Ok, I am not a security expert so I would like to know if my security
> measures I have implimented is adequate enough to keep people out.  Any
> pointers on this would be very helpful as I am trying to impliment a
secure
> way for people to update a website through the use of a content management
> application.  Example of code is as follows
>
> // Login form - index.php
> <form name="authenticate" method="post" action="auth_done.php">
>   <input type="text" name="user" size="20" maxlength="20"><br>
>   <input type="password" name="pw" size="20" maxlength="20"><br>
> Select an image to identify yourself as an administrator.<br>
>    <select name="image">
>      <option value="image01.jpg">image01</option>
>      <option value="image02.jpg">image02</option>
>      <option value="image03.jpg">image03</option>
>      <option value="image04.jpg">image04</option>
>      <option value="image05.jpg">image05</option>
>    </select><br><br>
>   <input type="submit" name="Login" value="Login">
>   <input type="reset" name="Reset" value="Reset">
> </form>
>
> // Authentication checker - auth_done.php
>   #############check fields for valid entries in form############
> if ((!$u_name) || (!$p_word) || (!$image)){
>  header("Location: index.php");
>  exit;
> }
>   ############connects to database############
> require '/path/to/database/connection/script/dbcon.php';
>   #############selects database table containing users that are allowed to
> use application############
> $db_table = 'users';
> $sql = "SELECT * from $db_table WHERE un = \"$user\" AND pw =
> password(\"$pw\")";
> $result = @mysql_query($sql,$dbh) or die("Couldn't execute query");
>   #############loops through all records to find a match############
> $num = mysql_numrows($result);
>  if ($num !=0) {
>   #############creates variables for sessions############
>   $p_hash = "$p_word";
>   $to_hash = "$image";
>   #############creates md5 hash of image user selected############
>   $pstring = md5($to_hash);
>   #############creates md5 hash of password user entered############
>   $image_sel = md5(uniqid(microtime($p_word),1));
>   #############starts session for user############
>    session_start();
>   #############registers variables created (md5 of password, username, &
> image) in session############
>    session_register('user');
>    session_register('$pstring');
>    session_register('$image_sel');
>   #############captures users ip address (logging stuff, not listed in
this
> code for security reasons)############
>   $ipaddy = $REMOTE_ADDR;
>   #############echoes success message to authenticated user############
>   $msg_success = "<b>You have been authorized to make changes to the
> website! Your IP address has been recorded and sent to the administrator:
> $ipaddy</b>";
>   } else {
>   #############this prints if user name and password combination is not
> found in database############
>   print "<p>You are not authorized to use this application!</p>";
>   exit;
>   }
>
> Now on each page in the content management app I have these lines of code:
> #############Start the session#############
> session_start();
> #############check session variables#############
> if (isset($HTTP_SESSION_VARS['user']) ||
> isset($HTTP_SESSION_VARS['$image_sel']) ||
> isset($HTTP_SESSION_VARS['$pstring'])) {
>  $main = "Some kinda message for page in question";
> #############connects to database#############
> require '/path/to/database/connection/script/dbcon.php';
>  #############if session variables not registered kick the user back to
> login form#############
>  } else {
>  header ("Location: index.php");
>  }
>
> Now just so you know I have changed all the variables to something other
> than what I am currently using, however I have made sure that this is a
> working example so everything should work as is.  Also I have tested this
a
> few different ways, including:  creating a page that tries to include one
of
> the pages I have my security checks on from another website, linking
> directly to a script within the application etc.  In any event, I also
have
> logging setup on each and every script which I have not included here
> (different topic), just in case someone does get in I can at least "try"
to
> find them.  Any help, pointers, tutorials, examples, etc. would be
> appreciated!!!
> TIA
> Jas
>
>
>
>



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to