Google
HTML Tutorial


 Forum HomeForum Home   FAQFAQ   SearchSearch   MemberlistMemberlist   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
RegisterRegister - Not registered yet? Got something to say? Join HTML Code Tutorial!
What kind of security checks are necessary?
Post new topic   Reply to topic    HTML Help Forum Index -> PHP
View previous topic :: View next topic  
Author Message
Matrim



Joined: 01 Nov 2005
Posts: 15
PostPosted: Thu Jan 04, 2007 11:49 am     What kind of security checks are necessary? Reply with quote
I created a rather website for some friends. This website can be updated by anyone without requiring them to learn any more than the most basic html. This is done through the use of a login page and forms.

Because I'm so new to PHP I have no clue what kind of security checks I need to test for.

The website is here: http://www.fisherbranchyouth.110mb.com/index.php.

If the code is needed I can post that too.

Thanks.
Thor Erik



Joined: 30 Dec 2006
Posts: 8
PostPosted: Thu Jan 04, 2007 12:27 pm     Reply with quote
The page dosen't exist, but if you could post the source, that would be helpfull, cause i'm not a magician(doubt anyone else is :p)
so
Matrim



Joined: 01 Nov 2005
Posts: 15
PostPosted: Thu Jan 04, 2007 12:43 pm     weird Reply with quote
http://www.fisherbranchyouth.110mb.com/ ...that should work... I hope

Code:

<form method = "GET" action = "process.php">

User Name: <input type = "text" name = "username" size = "18" maxlength = "20"><br>

Password: <input type = "password" name = "userpass" size = "18" maxlength = "20"><br>

<input type = "submit" value = "Submit">
<input type = "reset" value = "Reset">

</form>


And process.php is here:
Code:

<?
$valid_name = array("username1", "username2");
$valid_pass = array("pass1", "pass2");

$correct = false;

foreach($valid_name as $key => $val) {
   if($_GET['username'] == $val) {
      if($_GET['userpass'] == $valid_pass[$key]){
         $correct = true;
      }//end if username is correct
   }//end if username exists
}//end for each name

$magicNum = 1;

if($correct){
   setcookie('login', $magicNum, NULL, "/", NULL);

   header('Location: admin.php');
}
else{
   header('Location: login.php');
}
?>


Please note that $magicNum has been changed from a seemingly random number to a 1 because I'm posting this for the public to see.

Also the usernames and passwords are changed.
Matrim



Joined: 01 Nov 2005
Posts: 15
PostPosted: Thu Jan 04, 2007 12:45 pm     Reply with quote
Oh, and before allowing anyone to edit the page, the cookie value is tested.
Thor Erik



Joined: 30 Dec 2006
Posts: 8
PostPosted: Sun Jan 07, 2007 11:54 am     Reply with quote
2 things to secure the script a litle:
encrypt the pass with md5(); before sending it, and use post instead of get, since get is rather insecure if you got people behind you Wink
for extra security encrypt the username too Smile
Matrim



Joined: 01 Nov 2005
Posts: 15
PostPosted: Mon Jan 08, 2007 11:18 am     Reply with quote
Thanks. I'll work on that when I have time.

The website isn't being used yet anyway.
Display posts from previous:   
Post new topic   Reply to topic    HTML Help Forum Index -> PHP All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
HTML Help Archive
Powered by phpBB © 2001, 2005 phpBB Group
HTML Help topic RSS feed 
 
HOSTING / DESIGN
$1.99 Domain Registration
Cheap Web Hosting
Website Templates
MAKE MONEY
Sell Domain Names
Sell Website Templates

Home   |   Tutorials   |   Forum   |   Quick List   |   Link Directory   |   About
Copyright ©1997-2002 Idocs and ©2002-2007 HTML Code Tutorial