[SPLIT FROM] How to better login script

[Skylight_lady]

A LOT better ways to secure passwords rather than md5'ing it and sticking it in the database if you want to look into them

 

I thought md5'ing a password was the only option on making it more secure. Can point me in the direction of other SECURED options?

[Zurev]

When you md5 or sha1 a password it's called a hash. A lot have moved to sha1, and a great way to hash it is with sha256, see php's hash() function.

 

Now you can create a salt, so that the users password is hashed against a salt, which really is just md5'ing or sha1'ing or whatever the password with the salt.

 

So say your password is "chance".

 

MD5: 82c0f6882c1ae8e205184d6869db5cb7

 

So now you salt it with a random salt that is stored in that users row, like 7sJF92KF

 

Now you MD5 chance7sJF92KF

 

Which is an entirely different string, this is great because if someone accesses your database, two or more people can have the same password, and the hacker won't be able to tell.

 

However that, is just barely scratching the surface.

 

Look into hashing/salting php passwords.

[Skylight_lady]

I heard of sha1. Thought it was more complicated a few yrs ago. Will look into it again.

 

May I ask how a hacker could generate the correct password if it's already been hashed in an md5 form.

[Pikachu2000]

Google 'md5 rainbow tables'

[fortnox007]

I heard of sha1. Thought it was more complicated a few yrs ago. Will look into it again.

 

May I ask how a hacker could generate the correct password if it's already been hashed in an md5 form.

 

It's a one way route, but some people just encrypted whole dictionaries so when they have a match they know your password. But ones they are in your database in such a manner i assume you are allready facked

I would use sha1()  though it's bit longer

 

I am also still learning and this is also a tricky part for me.

 

What you might add, is only allow Select, update, Insert rights for the customers. That way I think an extra barrier is placed.

 

Also nice could be to add a formtoken. a good website  (atleast i find that) is : http://phpsec.org/projects/guide/2.html  I am not sure if they are updating anything there but it gives a good idea of the technique. In a nutshell a formtoken is a token placed in hidden field and on the execution page the session value is compared with the postvariable of the hiddentoken. So that execute page can only be entered via the normal form.

[Skylight_lady]

mmmm.....ok. I trying to learn sha1. Confusing at the moment. Is it possible to change this original code to SHA1:

 

$_POST['password'] = md5($_POST['password']);
	if (!get_magic_quotes_gpc()) {
		$_POST['password'] = addslashes($_POST['password']);
		$_POST['username'] = addslashes($_POST['username']);
	}

 

[Zurev]

mmmm.....ok. I trying to learn sha1. Confusing at the moment. Is it possible to change this original code to SHA1:

 

$_POST['password'] = md5($_POST['password']);
	if (!get_magic_quotes_gpc()) {
		$_POST['password'] = addslashes($_POST['password']);
		$_POST['username'] = addslashes($_POST['username']);
	}

 

Well if your passwords are already hashed in md5, keep it that way for now. (Unless you really wanted to do it, in which case you could but you would have to do a check in your login if the password is equal to the md5'd or sha1'd version, but I stand with my initial recommendation).

 

Though I'd like to state this, you shouldn't have a problem LEARNING sha1, you didn't learn md5. You know that md5 is a php function that hashes a string, sha1 does the same thing essentially, with a different algorithm. If you change your md5() to sha1() then it will still output a hash. Though I'd like to note sha1 outputs a 40 character hash, md5 a 32 character.

[Skylight_lady]

I'm setting up a new system from scratch with a different login system to the original CMS's system in Joomla (which is using SHA1), They will be using the same database, but the new system will have nothing to do with Joomla. It is better to keep them both as SHA1 as the new system is using the MD5 only. Both my login and form on new system are using:

$_POST['password'] = md5($_POST['password']);

 

Is this what will change the above code to SHA1:

$salt = sha1(md5($_POST['password']));
$_POST['password'] = md5($_POST['password'].$salt);
if (!get_magic_quotes_gpc()) {
$_POST['password'] = addslashes($_POST['password']);
$_POST['username'] = addslashes($_POST['username']);
}

 

I haven't tested it.

[Zurev]

My advice...

 

First, indent your code to make it easier to read.

Second, don't sanitize the password, once you hash it, sql injection can't happen.  When you sanitize it, you are actually changing the password by removing certain characters if they are being used.

Third, try to put session_start() at the top of each script that you use sessions, this will avoid output to the screen before your session is started.

 

Remember what this guy said! You're adding slashes to a password? On top of that you're adding slashes to a password after it's md5'd? MD5 string has 0 slashes...alphanumeric, so it's just wasting processing time.

 

Let me get this straight, your login system is using the same database as joomla? What's the reasoning behind that?

 

 

[Skylight_lady]

The joomla is for all customers. And the new system is as you could say is for resellers. Each of those customers are assigned to a reseller. So therefore, they will need the same info in the new system to collect the customers data.

 

I see .... Looks like i should delete:

$_POST['password'] = addslashes($_POST['password']);

and use this instead:

$salt = sha1(md5($_POST['password']));
$_POST['password'] = md5($_POST['password'].$salt);
if (!get_magic_quotes_gpc()) {
$_POST['username'] = addslashes($_POST['username']);
}

 

I'm going try this in a while. Hopefully it will work. Thanks for your help. You have been very helpful.

[fortnox007]

just maybe good try, make a system apart from joomla, ones loged in they can use the database connection joomla uses. that way you don''t have to compensate anything and you can build it just the way you want. and maybe even better for learning, instead of using the here and than confusing joomla stuff

 

They only need to SELECT customer info from te joomla database right?

[Skylight_lady]

I've already build half the system. It works smoothly .... Joomla can be confusing which is why the new system is developed away from it but using the same DB. I'm not connect this system to any codes in Joomla to easily get the connection, variables etc. I'm doing it all from scratch so if those people want a new website in the future which is not Joomla then they can keep the new system and i can easily change the code. It's not just selecting customer info .... It's also updating, inserting and deleting. I did one system for a shopping site yrs ago which wasn't easy. This is alot easier. Tho, I'm having small problems which I can sort out.

[Skylight_lady]

Actually, is the following code a better option to use?

$_POST['password'] = mysql_escape_string($_POST['password']);

 

The reason i used the  following code:

$_POST['password'] = addslashes($_POST['password']);

was to escape SQL injection. But as "Zurev" noted that md5 string has 0 slashes. Is the mysql_escape_string() a good option to use for the password?

 

 

[Pikachu2000]

No. Don't use either on a value that has been, or will be hashed.

[Skylight_lady]

Thanks. I believe i understand this fully now. If i wasn't using addslashes() on the username or hashing then the a user could take advantage of sql injection by typing a similar name to the following into the username field in the form:

username', 'password'), ('otherusername

 

Is there a better code than addslashes() that can be used for the username?

[Zurev]

Thanks. I believe i understand this fully now. If i wasn't using addslashes() on the username or hashing then the a user could take advantage of sql injection by typing a similar name to the following into the username field in the form:

username', 'password'), ('otherusername

 

Is there a better code than addslashes() that can be used for the username?

 

There are a ton of options, whitelisting/blacklisting (not suitable for usernames), preg_match/replace to ensure it's alpha or alphanumeric etc, make sure you understand magic_quotes/addslashes/stripslashes/realescapestring fully though, you don't want to be adding double sets of slashes, or stripping always non-existent slashes.

[Skylight_lady]

Ok ..... one little prob with this. I have tried the solution which works smoothly. However, i'm allowing the resellers to sign up their own clients on the new system. This means that their clients will sign in on the main joomla site once registered. Now, i understand joomla's passwords are different. I have used this code for the reseller 's to sign up their own clients:

for ($i=0; $i<=32; $i++) {
      $d=rand(1,30)%2;
      $salt .= $d ? chr(rand(65,90)) : chr(rand(48,57));
   } 
$hashed = md5($_POST['password'].$salt);
$_POST['password'] = $hashed . ':' . $salt;

The above code adds the password the correct way as joomla does and is displayed in the database. However, I am unable to login with this code. I have added this code to the registered page and the login page.

 

If i change the above code to use MD5, it runs smoothly as joomla accepts MD5 passwords. How do i get it to work the correct way as joomla saves the passwords and be able to login to joomla as well without a problem?

 

I have also tested this code above on the new system. And it doesn't work when i try to login.