| Subject | RE: [firebird-php] $login_check = ibase_num_rows($sql); problem |
|---|---|
| Author | McKenna, Simon (RGH) |
| Post date | 2004-11-22T03:56:10Z |
Hi Johan,
[..]
-=> // Convert to simple variables
-=> $username = $_POST['username'];
-=> $password = $_POST['password'];
[..]
-=> // Convert password to md5 hash
-=> $password = md5($password);
[..]
-=> // check if the user info validates the db
-=> $sql = ibase_query("SELECT username, password FROM users WHERE
-=> username='$username' AND password='$password' AND activated='1'");
Looks like a solution has been found for your problem,
but watch out for SQL injection attacks.
You are hashing password so no dramas there,
but username could be a problem.
http://www.php.net/manual/en/security.database.sql-injection.php
See what happens if username entered is: haha' OR 1=1;-- :)
FWIW, it is not hard to setup a system whereby
a password doesn't have to be sent over http.
MD5 is good one-way hash but can be broken by a
dictionary attack on weak passwords. With disk
space so cheap it's not hard to build a massive
list and brute-force.
One approach I like is when you first load your
login page, the server generates, saves and then
sends a random value (eg. MD5( SessionID )) to the
client as part of the initialisation process.
The client then hashes the password, and takes the
result of that hash and hashes it with the random
value and sends this back to the server.
The server then sees if username exists in db,
if it does, then it hashes the password stored
in db with random value you sent to client and
then compare that for match. That way even
encrypted passwords are never sent.
There are MD5 implementations in Javascript (html clients)
and Actionscript (Flash clients), google knows where.
peace - si
sshnug.com
[..]
-=> // Convert to simple variables
-=> $username = $_POST['username'];
-=> $password = $_POST['password'];
[..]
-=> // Convert password to md5 hash
-=> $password = md5($password);
[..]
-=> // check if the user info validates the db
-=> $sql = ibase_query("SELECT username, password FROM users WHERE
-=> username='$username' AND password='$password' AND activated='1'");
Looks like a solution has been found for your problem,
but watch out for SQL injection attacks.
You are hashing password so no dramas there,
but username could be a problem.
http://www.php.net/manual/en/security.database.sql-injection.php
See what happens if username entered is: haha' OR 1=1;-- :)
FWIW, it is not hard to setup a system whereby
a password doesn't have to be sent over http.
MD5 is good one-way hash but can be broken by a
dictionary attack on weak passwords. With disk
space so cheap it's not hard to build a massive
list and brute-force.
One approach I like is when you first load your
login page, the server generates, saves and then
sends a random value (eg. MD5( SessionID )) to the
client as part of the initialisation process.
The client then hashes the password, and takes the
result of that hash and hashes it with the random
value and sends this back to the server.
The server then sees if username exists in db,
if it does, then it hashes the password stored
in db with random value you sent to client and
then compare that for match. That way even
encrypted passwords are never sent.
There are MD5 implementations in Javascript (html clients)
and Actionscript (Flash clients), google knows where.
peace - si
sshnug.com