11 thoughts on “Drawing Attention to Security Cont. (Makings of Secure PHP Login/Register and user session management)

  1. Wow, just wow, I don’t know where to start with the epic amount of misinformation in this post. Actually I do know where to start:

    “Surpress all errors using “@””

    No, no, no. For the love of…never do this. How would you know when you screwed up? It’s a recipe for a debugging nightmare. Instead, set display_errors to “on” on development servers, and “off” on production servers (and “log_errors” to “on” so that you know that they happened).

    1. Ok, so I’ve mixed up some info in this post like I’ve said md5 can be decoded…Must have been thinking encryption for some reason…but the general points are ones born from managing a real e-commerce site that has had many attempted attacks.

      If you still do not quite understand why I specify some points please feel free to question me. I am happy to explain further

    2. OK, I have been looking at my own server config and I relised I didn’t use the ini and that got my wondering why.

      Do you know what show errors off actually disables in terms of php code? set_exception_handler and set_error_handler. If you don’t have these two functions how are you gonna show a proper error message instead of a blank screen?

      What you should do which is what everyone else does is set the error reporting level to fatal not off…

      So scrub my first comment and I suggest you start using a customer error handler to deal with product environments.

      BTW ampersand also stops the error from going to memory on my server whilst show errors off does not. What happens if one of your SQL statements dies…oops entire SQL error object thrown to server buffer…

      I think you’ll find very little of this post is misinformed

  2. 1. It doesn’t matter if you use PHP_SELF or any other environment variable to set the action of the form. The form code is client side so a malicious user could set the action to any arbitrary value simply by editing the code.

    2. Brute force attacks are not viable across a network. Even if they were you could perform the same attack using post.

    5. While you’re correct that md5 shouldn’t be used for password hashing, you shouldn’t use the functions you provide either. You should use a one way hash that is resistant to collisions like sha1 with a salt.

    6. Other than the fact that the code you posted doesn’t use any password hashing there is nothing wrong with it. You only have to worry about SQL injections when you’re putting user data into a query.

    10. Other than making the user wait longer for a response there is no reason to do this. What you should do is record the number of failed login attempts and then block the user from trying again for a certain amount of time. Brute force attacks are not viable across a network.

    11. HTTP_REFERER is the one environment variable you should never rely on. It might not be set for a perfectly legitimate user. Also, the ereg family of functions have been deprecated use perl compatible regular expressions instead.

    16. Display errors should be off in a production environment. Suppressing errors like this is just going to make debugging a nightmare.

    17. Why are you returning a value in an object constructor? It won’t have any affect since the constructor is called implicitly; the return value will never be assigned to a variable. Also, I’m not sure what you’re basing your claim that ‘connecting to a database directly in your code is bad’ on. I don’t see an advantage in using a ‘pointer’ (I’m assuming you meant object?).

    1. 1. PHP self is easily pullatable within the PHP code itself.

      2. Brute force isn’t always using a program. Some programs use the login page and get output from it to see how close it is. If you do not implement a delay after say 3 incorrect logins or somehting similar such as a captcha (like google does) then some one could easily spam the script.

      5. AES 256 is pretty much immune to everythin it is the standard for higher than top secret information for the government.

      5. I mentioned SQL injections

      10. WHy do think Linux implements this if you log in incorrectly after 3 attempts?

      11. I use HTTP_REFERRER as only as safe gaurd to stop dumb spam bots not to rely on, I say to actually use hashing as well.

      16. Display errors off makes it harder to do a lot of other stuff in product. Take a look at a production viable (Zend does this) error handler https://sammaye.wordpress.com/2010/07/30/custom-error-handler-example/

      It is not complex but it is enough to start off with

      To clarify this with an example of @ supressor:

      @mysql_query(“dskjflsfjdjdsf”) or trigger_error(USER_WARNING);

      This stops the Mysql error object from going to buffer but at the same time produces debugging viability, well ok something a little more complex but you know what I mean

      17. My bad, I should of coded a better example 😦 Nah I meant pointer, I should probably have added “put it into a weirdly named shared folder”

      1. 1. I’m not sure what you’re saying here.

        2. My point about brute force is that across a network, the amount of time it takes to make a request and check the result makes it an exercise in futility. Take a look at this http://tinsology.net/2010/08/do-we-need-longer-passwords/

        5. But it is not a one-way encryption. Given the result from the encryption function you posted one would only need the decryption function to decrypt it. Shared key encryption should be used when encrypted data must be transferred between two parties.

        10. Why pause when you can just lock the user out.

        11. As far as I can tell from the code you posted, if HTTP_REFERRER were not set for a legitimate user they wouldn’t be allowed to login (granted that //check login crap doesn’t say a whole lot).

        16. Turning off display errors doesn’t prevent you from using an error handler. @ should be used sparingly at most.

    2. 1. http://markjaquith.wordpress.com/2009/09/21/php-server-vars-not-safe-in-forms-or-links/ That’s just one link there are more floating around.

      2. I’ll answer when I have read it.

      5. To get the key from my server would be almost impossible. You would have more luck decrypting a sha256 salted hash than getting it. Without the key it takes roughly 600,000 years for a computer to decrypt…I think some one would of chnaged their password in that time.

      10. Cos it might be a legit user who has forgotten their pw, that’s why Linux changed their approach on this. They used to lock a user out for 5 mins but too many complained so they changed it to a random delay. You could then ask why not other site takes the approach of locking except one I have seen which is Virgin Media. I have seen Netsuite do that but they have since changed it now to a random captcha. Locking them is treating them like a hacker which they might not be.

      11. Yea but I don’t rely on it: “It will only protect from dumb bots but meh, it’s an extra layer” Tbh it is the preference of the dev whether or not you set this. A legitimate user even with privacy tools should have a referrer of your site ofc this is not reliable since it is easy to trick and get around.

      16. But turning display errors off does not stop errors from going to memory…it just does not show them. Tbh my script does the same as show_errors = 0 but dynamically so I can just turn it on and off when I like.

      Edit: appears sandbox theme don’t allow me to reply to multi level comments…so I posted it to the top one

      1. “putting outputting unsanitised PHP_SELF”

        Having a little trouble deciphering what you just said. The points are sometimes not very well described because I did it in a hurry. Did you mean me saying that? or…well not sure. I don’t think I said PHP_SELF was ok unless the English can be read in a certain way that implies a double contextual meaning.

        I just tend to paste http://markjaquith.wordpress.com/2009/09/21/php-server-vars-not-safe-in-forms-or-links/ when ever some one wants to use PHP_SELF now-a-days. Feel free to re-paste to anyone who you know needs educating :P. I have got other links like that but I prefer that link. He spells it out in big bold letters.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s