I cannot believe that no one with alot of PHP and MySQL experience has not replied to this post yet. Is PHP not a secure scripting language? I would really like a little insight into this question, anyone?
"Jas" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I posted this yesterday and did not get any response at all? Just wondering > if someone can give me some insight into some security measures for a > content management application... > > Posted 06/05/2002 > Ok, I am not a security expert so I would like to know if my security > measures I have implimented is adequate enough to keep people out. Any > pointers on this would be very helpful as I am trying to impliment a secure > way for people to update a website through the use of a content management > application. Example of code is as follows > > // Login form - index.php > <form name="authenticate" method="post" action="auth_done.php"> > <input type="text" name="user" size="20" maxlength="20"><br> > <input type="password" name="pw" size="20" maxlength="20"><br> > Select an image to identify yourself as an administrator.<br> > <select name="image"> > <option value="image01.jpg">image01</option> > <option value="image02.jpg">image02</option> > <option value="image03.jpg">image03</option> > <option value="image04.jpg">image04</option> > <option value="image05.jpg">image05</option> > </select><br><br> > <input type="submit" name="Login" value="Login"> > <input type="reset" name="Reset" value="Reset"> > </form> > > // Authentication checker - auth_done.php > #############check fields for valid entries in form############ > if ((!$u_name) || (!$p_word) || (!$image)){ > header("Location: index.php"); > exit; > } > ############connects to database############ > require '/path/to/database/connection/script/dbcon.php'; > #############selects database table containing users that are allowed to > use application############ > $db_table = 'users'; > $sql = "SELECT * from $db_table WHERE un = \"$user\" AND pw = > password(\"$pw\")"; > $result = @mysql_query($sql,$dbh) or die("Couldn't execute query"); > #############loops through all records to find a match############ > $num = mysql_numrows($result); > if ($num !=0) { > #############creates variables for sessions############ > $p_hash = "$p_word"; > $to_hash = "$image"; > #############creates md5 hash of image user selected############ > $pstring = md5($to_hash); > #############creates md5 hash of password user entered############ > $image_sel = md5(uniqid(microtime($p_word),1)); > #############starts session for user############ > session_start(); > #############registers variables created (md5 of password, username, & > image) in session############ > session_register('user'); > session_register('$pstring'); > session_register('$image_sel'); > #############captures users ip address (logging stuff, not listed in this > code for security reasons)############ > $ipaddy = $REMOTE_ADDR; > #############echoes success message to authenticated user############ > $msg_success = "<b>You have been authorized to make changes to the > website! Your IP address has been recorded and sent to the administrator: > $ipaddy</b>"; > } else { > #############this prints if user name and password combination is not > found in database############ > print "<p>You are not authorized to use this application!</p>"; > exit; > } > > Now on each page in the content management app I have these lines of code: > #############Start the session############# > session_start(); > #############check session variables############# > if (isset($HTTP_SESSION_VARS['user']) || > isset($HTTP_SESSION_VARS['$image_sel']) || > isset($HTTP_SESSION_VARS['$pstring'])) { > $main = "Some kinda message for page in question"; > #############connects to database############# > require '/path/to/database/connection/script/dbcon.php'; > #############if session variables not registered kick the user back to > login form############# > } else { > header ("Location: index.php"); > } > > Now just so you know I have changed all the variables to something other > than what I am currently using, however I have made sure that this is a > working example so everything should work as is. Also I have tested this a > few different ways, including: creating a page that tries to include one of > the pages I have my security checks on from another website, linking > directly to a script within the application etc. In any event, I also have > logging setup on each and every script which I have not included here > (different topic), just in case someone does get in I can at least "try" to > find them. Any help, pointers, tutorials, examples, etc. would be > appreciated!!! > TIA > Jas > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php