Secure Coding mailing list archives
Re: Scripting Languages and Secure Coding + code
From: "Ghita Serban" <sasa () stonet ro>
Date: Thu, 04 Dec 2003 15:07:09 +0000
Hello Well, i noticed the discussion about secure (php) programming. Mr. Michael Buchzik is right about PHP, it is an easy web prog. language, and thats why it is very popular. Common users (coders) make mistakes, like the ones described by Mr. Buchzik, that lead to sql injections, field manipulation data, xss, etc. I am interested to start a discussion about PHP secure programming. I think that people, and common php users and coders need _real_ examples, and not just some papers in which they can _only_ read that : 'you MUST sanitize your script, and filter your input' , 'you MUST not trust the users input', etc, but NO code, NO example from a-z to show him the buggy code and the method of correction. First let me start with a simple login form. I want to discuss with people interested in here about how to secure a php/sql login form. Lets take the following code, that IMHO its kind of secure: ------------------------cut------------------------------- <?php //destroy the session whatever is that session_destroy(); //we start the session session_start(); ob_start(); //because i might use multiple headers /* we can include some files that contain db con data */ include("inc/db.inc.php"); /** presuming that data is comming from a form like Username: ________ Password: ________ [LOGIN] fields are 'username' and 'password' the button is LOGIN **/ if($_POST['login']=="LOGIN"){ //we take the POST vars and put them into the variables $username=stripslashes(trim($_POST['username'])); $password=stripslashes(trim($_POST['password'])); //checking if the user is not forgoting any fields :) //we redirect him to msg=1 (ex. 'You missed one field in the form') if(!$username || !$password){ header("Location: ./login.php?msg=1"); exit(); } $password=md5($password); //md5 the password $select_the_user="SELECT * FROM users WHERE username=".$username." AND password=".$password." LIMIT 1"; $sql_s_t_u=mysql_query($select_the_user) or die(mysql_error()); //we user mysql_error() only for debug if((mysql_num_rows($sql_s_t_u))>0){ //register some variables in here or redirect the user to main.php or something $_SESSION['username']=$username; $_SESSION['password']=$password; //we can do other stuff here } else { header("Location: ./index.php?msg=2"); //redirecting the user to msg=2 (ex. The username or password does not match) exit(); } } ob_end_flush(); ?> ------------------------cut------------------------------- Okay. Presuming that the code above is theoretically correct, i need to know/discuss the following: -what certain code is useless -what needs to be improved -how can i increase code execution (make it fast) -is the query ($select_the_user) secure, what can i do to improve it. -what kind of security measures can i add (before and after the login) -how can i manage the sessions better Thank you in advance, i am looking forward for other oppinions. I hope this discussion can be a good example for others. Ghita Serban administrator www.fastweb.ro
Current thread:
- Re: Scripting Languages and Secure Coding M. Buchzik (Dec 03)
- Re: Scripting Languages and Secure Coding Timo Sirainen (Dec 03)
- Re: Scripting Languages and Secure Coding Martin Stricker (Dec 03)
- Re: Scripting Languages and Secure Coding + code Ghita Serban (Dec 04)
- Re: Scripting Languages and Secure Coding + code David A. Wheeler (Dec 04)
- RE: Scripting Languages and Secure Coding + code Dave Paris (Dec 04)
- Re: Scripting Languages and Secure Coding + code Andrew Rucker Jones (Dec 04)
- Re: Scripting Languages and Secure Coding + code Paul R. C. Ming (Dec 04)
- Re: Scripting Languages and Secure Coding + code David M. Wilson (Dec 05)
- RE: Scripting Languages and Secure Coding + code Dave Paris (Dec 07)
- Re: Scripting Languages and Secure Coding + code ck (Dec 08)
- Re: Scripting Languages and Secure Coding + code ck (Dec 08)
- Re: Scripting Languages and Secure Coding + code David M. Wilson (Dec 09)
- Re: Scripting Languages and Secure Coding + code Carsten Kuckuk (Dec 09)
- Re: Scripting Languages and Secure Coding + code David A. Wheeler (Dec 04)