Re: Scripting Languages and Secure Coding + code

["Ghita Serban" <sasa () stonet ro>]

Hello

Well, i noticed the discussion about secure (php) programming. Mr. Michael
Buchzik is right about PHP, it is an easy web prog. language, and thats why
it is very popular. Common users (coders) make mistakes, like the ones
described by Mr. Buchzik, that lead to sql injections, field manipulation
data, xss, etc.
I am interested to start a discussion about PHP secure programming. I think
that people, and common php users and coders need _real_ examples, and not
just some papers in which they can _only_ read that : 'you MUST sanitize
your script, and filter your input' , 'you MUST not trust the users input',
etc, but NO code, NO example from a-z to show him the buggy code and the
method of correction.

First let me start with a simple login form. I want to discuss with people
interested in here about how to secure a php/sql login form.
Lets take the following code, that IMHO its kind of secure:
------------------------cut-------------------------------
<?php
//destroy the session whatever is that
session_destroy();
//we start the session
session_start();
ob_start(); //because i might use multiple headers
/* we can include some files that contain db con data */
include("inc/db.inc.php");
/**
presuming that data is comming from a form like
Username: ________
Password: ________
[LOGIN]
fields are 'username' and 'password'
the button is LOGIN
**/
if($_POST['login']=="LOGIN"){
//we take the POST vars and put them into the variables
$username=stripslashes(trim($_POST['username']));
$password=stripslashes(trim($_POST['password']));
//checking if the user is not forgoting any fields :)
//we redirect him to msg=1 (ex. 'You missed one field in the form')
if(!$username || !$password){
header("Location: ./login.php?msg=1");
exit();
}
$password=md5($password); //md5 the password
$select_the_user="SELECT * FROM users WHERE username=".$username." AND
password=".$password." LIMIT 1";
$sql_s_t_u=mysql_query($select_the_user)
   or die(mysql_error()); //we user mysql_error() only for debug
if((mysql_num_rows($sql_s_t_u))>0){
//register some variables in here or redirect the user to main.php or
something
$_SESSION['username']=$username;
$_SESSION['password']=$password;
//we can do other stuff here
} else {
header("Location: ./index.php?msg=2"); //redirecting the user to msg=2 (ex.
The username or password does not match)
exit();
}
}
ob_end_flush();
?>
------------------------cut-------------------------------

Okay. Presuming that the code above is theoretically correct,  i need to
know/discuss the following:
-what certain code is useless
-what needs to be improved
-how can i increase code execution (make it fast)
-is the query ($select_the_user) secure, what can i do to improve it.
-what kind of security measures can i add (before and after the login)
-how can i manage the sessions better

Thank you in advance, i am looking forward for other oppinions. I hope this
discussion can be a good example for others.

Ghita Serban
administrator
www.fastweb.ro