just for knowledge sake, i wanna know that how good is to use a Dreamweaver in-built feature of PHP login logout authentication?
Is it secure?
I always use sessions, posts and so many things to build a login system, however when i used the Dreamweaver one, it was quite simple and seems to be secure. Still need expert advice, should i start using it or the traditional one is better. I don’t find any limitation, just want to know that weather it is secure enough or not.
Here is the code which Dreamweaver provides:-
This is my login form
<form action="<?php echo $loginFormAction; ?>" method="POST" target="_self">
<input name="ecsuser" class="form-login" title="Username" value="" size="30"
maxlength="2048" />
<input name="ecspass" type="password" class="form-login" title="Password"
value="" size="30" maxlength="2048" />
<?php if(!empty($ERRORMESSAGE)) echo '<div style="color:#FFF;
font-weight:bold;">'.$ERRORMESSAGE.'</div>'; ?>
<input name="" type="submit" value="" />
</form>
This is my Error Handling code.
<?php
if (isset($_GET['ERRORMESSAGE']))
{
if($_GET['ERRORMESSAGE'] == 1)
{
global $ERRORMESSAGE;
$ERRORMESSAGE = "Sorry! The username or password is incorrect,
Please try again.";
}
}
?>
This is my further code
// Database Connection Include
<?php require_once('Connections/ecs.php'); ?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
if (PHP_VERSION < 6) {
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
}
$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}
}
?>
<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
session_start();
}
$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
$_SESSION['PrevUrl'] = $_GET['accesscheck'];
}
if (isset($_POST['ecsuser'])) {
$loginUsername=$_POST['ecsuser'];
$password=md5($_POST['ecspass']);
$MM_fldUserAuthorization = "";
$MM_redirectLoginSuccess = "index.php";
$MM_redirectLoginFailed = "login.php?ERRORMESSAGE=1";
$MM_redirecttoReferrer = false;
mysql_select_db($database_ecs, $ecs);
$LoginRS__query=sprintf("SELECT username, password FROM student WHERE username=%s AND password=%s",
GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text"));
$LoginRS = mysql_query($LoginRS__query, $ecs) or die(mysql_error());
$loginFoundUser = mysql_num_rows($LoginRS);
if ($loginFoundUser) {
$loginStrGroup = "";
if (PHP_VERSION >= 5.1) {session_regenerate_id(true);} else {session_regenerate_id();}
//declare two session variables and assign them
$_SESSION['MM_Username'] = $loginUsername;
$_SESSION['MM_UserGroup'] = $loginStrGroup;
if (isset($_SESSION['PrevUrl']) && false) {
$MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
}
header("Location: " . $MM_redirectLoginSuccess );
}
else {
header("Location: ". $MM_redirectLoginFailed );
}
}
?>
Also, i want to know, what all other security measures we need to take for building an efficient Login system and does the above code is 100% perfect with no security issue.
No. I see a few problems:
First of all there is an XSS vulnerability. When you echo
$_SERVER['PHP_SELF']like that, it needs to be escaped withhtmlspecialchars(). If you don’t do this, an attacker can craft link which when clicked, will steal session cookies which can be used to become logged in without a username and password.See: PHP_SELF and XSS
GetSQLValueStringhas problems. It is falling back tomysql_escape_string()ifmysql_real_escape_string()does not exist. You should never fall back tomysql_escape_string(). Ifmysql_real_escape_string()is not available and you’re relying on it to avoid SQL Injection, your application should stop.This function is also doing an escape on the data, before it knows what datatype it is. If you’re using intval(), floatval(), doubleval(), you don’t need to do a
mysql_real_escape_string()first.I suggest changing this to use MySQLi or PDO parameterised queries which will automatically handle the escaping for you.
MySQLi: http://php.net/manual/en/mysqli.prepare.php
PDO: https://www.php.net/manual/en/book.pdo.php
It looks like someone might have tried to fix this by adding
falseto theifhere:if (isset($_SESSION['PrevUrl']) && false) {, this statement will never evaluate totrueand so it is pointless keeping it.4). Take a look at this line:
If there is any MySQL error when this query executes, the application is going to print out the full MySQL error and then stop. This will be extremely helpful to anyone trying to perform SQL Injection attacks. Even if you’ve secured for SQL Injection, this is still going to tell the world parts of your database structure.
You should use
trigger_error()or do your own error logging, but never show it to the user in a production/live/public system.5). Finally, it is possible to perform XSRF attacks on the login/out form. You should use an anti-XSRF token when submitting actions like login/logout.
See: http://en.wikipedia.org/wiki/Cross-site_request_forgery