----------------------------------- agnivohneb Fri Dec 19, 2008 9:48 pm authentication - can i have a second look? ----------------------------------- This is my first step into security for websites. Most of the time I just get another program to do all the work for me but it never gave me the customization that I needed. So I created this app for my websites. It seems to work fine, I was just wondering if someone that has experience with security have a look at my code before I actually use it. You don't need to put it on your server because I just want an opinion on the code. But if you must I would like to not that it is not done and I don't have any installer for it so you will have to do it all manually. First you will need to extract the contents to wherever you want on your server. Go into the folder auth and open the file config.php in your favorite editor. Setup all of your settings for the mysql server change $ezauth_location to what ever location the auth folder is located change $ezauth_home to your home page, most of the time it is just the root of your server you can leave $ezauth_secret_word the same it is just used as a salt. when i get an installed made for this that will automatically be set to a random string. you will need to import this sql into your database to create the table and the default login SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO"; CREATE TABLE IF NOT EXISTS `ezauth__users` ( `id` int(11) NOT NULL auto_increment, `username` varchar(100) NOT NULL, `password` varchar(100) NOT NULL, `access_level` int(11) NOT NULL, `name` varchar(100) NOT NULL, `email` varchar(100) NOT NULL, PRIMARY KEY (`id`), UNIQUE KEY `username` (`username`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ; INSERT INTO `ezauth__users` (`id`, `username`, `password`, `access_level`, `name`, `email`) VALUES (1, 'admin', '65ebe7c86c6c487dcd3d4749c5e2d08e', 3, 'Administrator', 'admin@yourdomain.ca'); That should be it to get it going. all that you need to do is go to the test.php in the root and it will take you to the login page the login is USER: admin PASS: admin if it is write it will take you back to test.php and tell you the secret. ----------------------------------- agnivohneb Fri Dec 19, 2008 10:19 pm RE:authentication - can i have a second look? ----------------------------------- i will be adding an admin area to create users easily and will also have an option for the admin to select and allow users to register. but that will be coming within a few days some of you may be wondering what the auth levels are. 0=all 1=registered, special, admin 2=special, admin 3=admin only ----------------------------------- jeffgreco13 Sat Dec 20, 2008 5:14 pm Re: authentication - can i have a second look? ----------------------------------- So you're just looking for an opinion? I think it's quite good... you seem to have everything you need in a neat little OOPHP package. It's hard to judge these things because there are unlimited ways to make them. Basically it just has to suit your needs... MOST of all, be secure against SQL injections and if I'm not mistaken, you've done so.. ----------------------------------- agnivohneb Sun Dec 21, 2008 4:18 pm RE:authentication - can i have a second look? ----------------------------------- ok thanks. now i am going to start the admin section ----------------------------------- Tony Sun Dec 21, 2008 6:03 pm Re: authentication - can i have a second look? ----------------------------------- MOST of all, be secure against SQL injections and if I'm not mistaken, you've done so.. As well as XSS and CSRF, to name a few more common exploits. ----------------------------------- Dan Sun Dec 21, 2008 10:07 pm RE:authentication - can i have a second look? ----------------------------------- I whould use sha1 or better rather the md5 for password hashs. md5 is not as strong as more modern hashing systems. Also i would add in the posbility for it to be acessed threw a ssl conection. Right now "http" is hardcoded in at one point when "https" will be used for a secure connection. I think there is a posblity for a SQL injection in this code threw the username. Unless the server is set up to automaticly strip slashs and such out of the post fields i think you could get somthing in threw the username field. Particaitly in checklogin where $user is just dumped in to the sql string and $user is a parm set by $_POST['username'] directly. I could be wrong, i looked at the code prity quick and i have not done any big PHP coding in a bit. ----------------------------------- md Wed Dec 24, 2008 11:00 am RE:authentication - can i have a second look? ----------------------------------- You should also look into OpenID. It really simplifies the entire login process. ----------------------------------- Unforgiven Wed Dec 24, 2008 3:31 pm Re: RE:authentication - can i have a second look? ----------------------------------- I whould use sha1 or better rather the md5 for password hashs. md5 is not as strong as more modern hashing systems. And salt them! http://en.wikipedia.org/wiki/Salt_(cryptography) ----------------------------------- Dan Wed Dec 24, 2008 4:37 pm Re: RE:authentication - can i have a second look? ----------------------------------- And salt them! They are salted, maybe you should look at the code :p ----------------------------------- Amailer Sat Apr 25, 2009 2:00 am Re: authentication - can i have a second look? ----------------------------------- Yep, definitely need to check for injects. $_SESSION In your login.php is not checked for any injects. After that its used straight in an sql statement. $query = 'SELECT * FROM ' . $GLOBALS You can just use http://ca.php.net/mysql_real_escape_string in your sql statements.