HiveBrain v1.2.0
Get Started
← Back to all entries
patternphpMinor

Securely handling a password protected application

Submitted by: @import:stackexchange-codereview··
0
Viewed 0 times
protectedhandlingapplicationpasswordsecurely

Problem

I have some small applications that I want to secure. I've been using the following setup that I think is fairly safe, but I've never been able to set my mind at ease that it really is. Could you give me some reviews on the security of this? It doesn't need super-security like credit card data, but I suppose secure is secure.

Cookie-based Sessions. User table is:

  • Username field (cleartext)



  • Random/unique salt field (created with mt_rand() at signup



  • Password field (SHA256 hash)



  • (among other stuff)



Login method takes username, looks for the DB row, gets the salt, adds it to the end of the posted password, calcs a SHA256 hash for that string, and compares that to the password field in the DB.

auth.php include at beginning of app

```
Please login
h2 { margin-top: 75px; margin-left: 100px; }
';

$form = '

UserName:

Password:

Remember me on this computer


 



';

$msg[1] = 'You\'ve logged out.';
$msg[3] = 'That username and password didn\'t match anything on record.';
$msg[4] = 'You must login to use this application';

// used logout button
if($_GET['logout'] == 'true') {
setcookie('SaveMe','',time()-3600);
session_unset();
die($head.$msg[1].$form);

// trying to login from form or returning with 'save me' cookie
} elseif ($_POST['loggingin'] == 'true' || isset($_COOKIE['SaveMe'])) {

require_once('lib/functions.php');
$db = new ezSQL_sqlite('./','main.db');
$loginName = (isset($_POST['username'])) ? $_POST['username'] : $_COOKIE['worshipSaveMe'];

// ADDED: escaping of posted/cookie data;
$loginName = mysql_real_escape_string($loginName);

// try to create new user object, error on fail
try {
$user = new user($db,$_POST['username']);
} catch (Exception $e) {
die($head.''.$e->getMessage().''.$form);
}

// try to login with user object, die on fail
if( ! $user->login($_POST['pass']))
die($head.$msg[3].$form);

Solution

I see you check for sql injection of the loginname:

$loginName = mysql_real_escape_string($loginName);


Do you filter bad content for the submitted password?

Now that I look at it, you are sending the POSTed login name straight to the SQL, aren't you?

This:

new user($db,$_POST['username']);


Should be this:

new user($db,$loginName);


If I'm reading this correctly - you need to sanitize the password also!

This is generally very important. You are also using MySQL functions to sanitize SQLite data. That's probably okay, but I wouldn't bet the farm on it!

Code Snippets

$loginName = mysql_real_escape_string($loginName);
new user($db,$_POST['username']);
new user($db,$loginName);

Context

StackExchange Code Review Q#802, answer score: 6

Revisions (0)

No revisions yet.