473,323 Members | 1,537 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,323 software developers and data experts.

Is this secure code?

23
I am making a simple password script. I have a login page that asks the user for a login and a password. It sends the two values to the following application via post (instead of get). Here is the application:
Expand|Select|Wrap|Line Numbers
  1. <?php
  2. $login = $_POST['login'];
  3. $pass = $_POST['password'];
  4.  
  5. $tlogin = "Xavier";
  6. $tpass = "Anon537";
  7. $authorize=false;
  8. if($login==$tlogin&&$pass==$tpass) {
  9. $authorize=true;
  10. }
  11. else {
  12. $authorize=false;
  13. }
  14. ?>
  15.  
Is this a secure procedure? Thanks for your help.
Nov 4 '07 #1
4 1415
post
17
I am making a simple password script. I have a login page that asks the user for a login and a password. It sends the two values to the following application via post (instead of get). Here is the application:
Expand|Select|Wrap|Line Numbers
  1. <?php
  2. $login = $_POST['login'];
  3. $pass = $_POST['password'];
  4.  
  5. $tlogin = "Xavier";
  6. $tpass = "Anon537";
  7. $authorize=false;
  8. if($login==$tlogin&&$pass==$tpass) {
  9. $authorize=true;
  10. }
  11. else {
  12. $authorize=false;
  13. }
  14. ?>
  15.  
Is this a secure procedure? Thanks for your help.
You are comparing $login to $tlogin which in normal scripts you would get a variable from a sql database with a query..I have an example of what one would look like:
[php]
mysql_query("select clientdata.name from clients left join clientdata on clientdata.clientid=clients.clientid where clients.username like '$username' and clients.password='$md5p'")
[/php]

A way to secure this would be to encrypt the password if it's being passed to another page and compare it to a md5 hash in the data base to the string you get from $_POST['login'] then you can add if ($authorized) { code } to be granted access to the member area.

To secure $_POST data you can make a simple function to check it before passing it to mysql. If you need an example of it I can post it.


If you don't like that way I mention above then I would suggest this:
[php]
<?php
//Remove slashes
$login = stripslashes($_POST['login']);
//Encrypt to md5 hash alternatively you can use hash(md5, $pass)
$pass = md5($_POST['password']);

$tlogin = "Xavier";
$tpass = md5(Anon537);

if ($tlogin == $login && $tpass == $pass) {
$authorize = true;
}
if ($authorize) {
//Code here
echo("hi");
}
else {
$authorize = false;
}
?>
[/php]
Nov 4 '07 #2
pbmods
5,821 Expert 4TB
To add to post's comment:

You only need to stripslashes() if you have magic_quotes turned on.

Also, this line:
Expand|Select|Wrap|Line Numbers
  1. if( $authorize )
  2.  
Is bad practice. A more robust method would be:
Expand|Select|Wrap|Line Numbers
  1. if( ! empty($authorize) )
  2.  
Nov 4 '07 #3
anon538
23
Thank you both. I wasn't aware of the need for encrypting, but I guess I'll try it for extra security.
Nov 4 '07 #4
post
17
To add to post's comment:

You only need to stripslashes() if you have magic_quotes turned on.

Also, this line:
Expand|Select|Wrap|Line Numbers
  1. if( $authorize )
  2.  
Is bad practice. A more robust method would be:
Expand|Select|Wrap|Line Numbers
  1. if( ! empty($authorize) )
  2.  
Ah yeah I could of gone with that, oh well thanks for the correction it was late :(
Nov 5 '07 #5

Sign in to post your reply or Sign up for a free account.

Similar topics

4
by: debedb | last post by:
Hi all, I have a link, <A onClick="javascript:foo()">. The foo() function does w = window.open('', fieldid+'mywindow', prop); w.document.open(); d = w.document; And proceeds to write...
68
by: Roman Ziak | last post by:
Hello, I just downloaded MS Visual Studio 2005 Express Beta. When I tried to compile existing valid project, I get a lot of warnings like 'sprintf' has been deprecated, 'strcpy' has been...
3
by: Bill | last post by:
I'm running a C#.Net application that is using the HttpWebRequest to upload an xml file to a https site with FIPS complicancy turned on. On the "GetRequestStream()" method I get: "The underlying...
8
by: todd.freed | last post by:
Hey all, I have been racking my brain all morning to find a solution to this, and I am having no luck. Our webpage is created with Visual Studio C# and ASP.Net, hosted in-house using HTTPS with...
14
by: Usman | last post by:
Hi I'm working on an application that contains classes for licensing, authentication etc, including all the algorithms of encryption/decryption etc. I wanted to secure this code, but after...
40
by: Robert Seacord | last post by:
The CERT/CC has released a beta version of a secure integer library for the C Programming Language. The library is available for download from the CERT/CC Secure Coding Initiative web page at:...
7
by: Robert Seacord | last post by:
The CERT/CC has just deployed a new web site dedicated to developing secure coding standards for the C programming language, C++, and eventually other programming language. We have already...
5
by: walterbyrd | last post by:
I honestly don't know. But, I have seen articles and posts about how PHP is terribly insecure. I don't usually see comparisons to other common web languages. I think the big vulnerablity is...
0
by: amitvps | last post by:
Secure Socket Layer is very important and useful for any web application but it brings some problems too with itself. Handling navigation between secure and non-secure pages is one of the cumbersome...
3
by: zr | last post by:
Hi, Does usage of checked iterators and checked containers make code more secure? If so, can that code considered to be reasonably secure?
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.