Re: [PHP] Re: Anyone? From: Adam Voigt (adam.voigt <email protected>)
Date: 06/06/02

Yes, PHP is a secure programming language.

On Thu, 2002-06-06 at 13:18, Jas wrote:
> I cannot believe that no one with alot of PHP and MySQL experience has not
> replied to this post yet. Is PHP not a secure scripting language? I would
> really like a little insight into this question, anyone?
>
> "Jas" <jlgerfen <email protected>> wrote in message
> news:20020606155545.68977.qmail <email protected>
> > I posted this yesterday and did not get any response at all? Just
> wondering
> > if someone can give me some insight into some security measures for a
> > content management application...
> >
> > Posted 06/05/2002
> > Ok, I am not a security expert so I would like to know if my security
> > measures I have implimented is adequate enough to keep people out. Any
> > pointers on this would be very helpful as I am trying to impliment a
> secure
> > way for people to update a website through the use of a content management
> > application. Example of code is as follows
> >
> > // Login form - index.php
> > <form name="authenticate" method="post" action="auth_done.php">
> > <input type="text" name="user" size="20" maxlength="20"><br>
> > <input type="password" name="pw" size="20" maxlength="20"><br>
> > Select an image to identify yourself as an administrator.<br>
> > <select name="image">
> > <option value="image01.jpg">image01</option>
> > <option value="image02.jpg">image02</option>
> > <option value="image03.jpg">image03</option>
> > <option value="image04.jpg">image04</option>
> > <option value="image05.jpg">image05</option>
> > </select><br><br>
> > <input type="submit" name="Login" value="Login">
> > <input type="reset" name="Reset" value="Reset">
> > </form>
> >
> > // Authentication checker - auth_done.php
> > #############check fields for valid entries in form############
> > if ((!$u_name) || (!$p_word) || (!$image)){
> > header("Location: index.php");
> > exit;
> > }
> > ############connects to database############
> > require '/path/to/database/connection/script/dbcon.php';
> > #############selects database table containing users that are allowed to
> > use application############
> > $db_table = 'users';
> > $sql = "SELECT * from $db_table WHERE un = \"$user\" AND pw =
> > password(\"$pw\")";
> > $result =  <email protected>($sql,$dbh) or die("Couldn't execute query");
> > #############loops through all records to find a match############
> > $num = mysql_numrows($result);
> > if ($num !=0) {
> > #############creates variables for sessions############
> > $p_hash = "$p_word";
> > $to_hash = "$image";
> > #############creates md5 hash of image user selected############
> > $pstring = md5($to_hash);
> > #############creates md5 hash of password user entered############
> > $image_sel = md5(uniqid(microtime($p_word),1));
> > #############starts session for user############
> > session_start();
> > #############registers variables created (md5 of password, username, &
> > image) in session############
> > session_register('user');
> > session_register('$pstring');
> > session_register('$image_sel');
> > #############captures users ip address (logging stuff, not listed in
> this
> > code for security reasons)############
> > $ipaddy = $REMOTE_ADDR;
> > #############echoes success message to authenticated user############
> > $msg_success = "<b>You have been authorized to make changes to the
> > website! Your IP address has been recorded and sent to the administrator:
> > $ipaddy</b>";
> > } else {
> > #############this prints if user name and password combination is not
> > found in database############
> > print "<p>You are not authorized to use this application!</p>";
> > exit;
> > }
> >
> > Now on each page in the content management app I have these lines of code:
> > #############Start the session#############
> > session_start();
> > #############check session variables#############
> > if (isset($HTTP_SESSION_VARS['user']) ||
> > isset($HTTP_SESSION_VARS['$image_sel']) ||
> > isset($HTTP_SESSION_VARS['$pstring'])) {
> > $main = "Some kinda message for page in question";
> > #############connects to database#############
> > require '/path/to/database/connection/script/dbcon.php';
> > #############if session variables not registered kick the user back to
> > login form#############
> > } else {
> > header ("Location: index.php");
> > }
> >
> > Now just so you know I have changed all the variables to something other
> > than what I am currently using, however I have made sure that this is a
> > working example so everything should work as is. Also I have tested this
> a
> > few different ways, including: creating a page that tries to include one
> of
> > the pages I have my security checks on from another website, linking
> > directly to a script within the application etc. In any event, I also
> have
> > logging setup on each and every script which I have not included here
> > (different topic), just in case someone does get in I can at least "try"
> to
> > find them. Any help, pointers, tutorials, examples, etc. would be
> > appreciated!!!
> > TIA
> > Jas
> >
> >
> >
> >
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php