Sign in to follow this  

[web] MySQL - Website with accounts

This topic is 4308 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Should I make a database with one table, and then inside the table have many rows, each being an account. Will this arise any security issues. I'm planning on using a MySQL query that will select only the username that the user entered. and then will verify the password with the retrieved info.

Share this post


Link to post
Share on other sites
My approach is:
SELECT COUNT(*) FROM user_table WHERE name = '$name' AND password = '$pass'

Where $name and $pass are convenably 'cleaned' values to avoid SQL insertion, which are input by the user. This way, the password information NEVER leaves the database, which prevents me from doing stupid things with it later on.

Share this post


Link to post
Share on other sites
You might wanna use the MD5 hash function in PHP. Even tho MD5 hashes are easily circumvented with a lookup table, you'll add an additional layer(And to make the hash more secure, you could add a few non-char(!@#$%^&*) at the beginning/end of all the passwords(So the lookup tables are less usefull).

Toolmaker

Share this post


Link to post
Share on other sites
Quote:
Original post by ToohrVyk
My approach is:
SELECT COUNT(*) FROM user_table WHERE name = '$name' AND password = '$pass'

Where $name and $pass are convenably 'cleaned' values to avoid SQL insertion, which are input by the user. This way, the password information NEVER leaves the database, which prevents me from doing stupid things with it later on.


Thats the same way I would do it, the idea of retrieving the password just scares me for some reason :D

Share this post


Link to post
Share on other sites
Quote:
Original post by ToohrVyk
Where $name and $pass are convenably 'cleaned' values to avoid SQL insertion.

what do u mean by "convenably 'cleaned' values to avoid SQL insertion"

Quote:

My approach is:
SELECT COUNT(*) FROM user_table WHERE name = '$name' AND password = '$pass'.

this is not secure u need to add more validations to yooour user name and password like forbidding to use the special characters likee - ' and others and not using the ordinary words "name" and "password"

Share this post


Link to post
Share on other sites
jad_salloum: you answered your own question. That's exactly what he meant by cleaned values.

Edit: where did his post go? :D

Myself I store username, salt and password and hash the specified password with the stored salt for the specified username, and use that for comparison with the stored password.

"Downside" is that it gets case sensitive too.

I should really add "time" as a factor there somewhere too to prevent playback-attacks though.

Although I use mssql, not mysql, the approach would be the same.

Share this post


Link to post
Share on other sites
Quote:
Original post by jad_salloum
what do u mean by "convenably 'cleaned' values to avoid SQL insertion"


Checking that SQL insertion is not possible. In the above case, it means that the ' character does not appear unescaped in the string, even though additional constraints could be placed on the password and login for usability.

Quote:

this is not secure u need to [things I already do] and not using the ordinary words "name" and "password"


Why would field names such as "name" and "password" be unsecure? Especially when most things I work on are readily available under the GPL for source code browsing?

EDIT: Or do you mean that I should forbid the use of the name "name" and the password "password" for the end user? At which point I understand what you mean by unsecure.

Share this post


Link to post
Share on other sites
There is also the crypt function which allows you to add your own salt. It takes the form crypt($Password, 'ABCDEFG').

If you're working with mysql/php for the first time, I'd highly highly highly recommend becomming as familiar as possible with all of its weaknesses before you spend months programming the same flaws over and over again. Password security is a big big deal as is mysql injection statements. I'm sure there are a few other items to be aware of, but those are the two that come to mind.

Share this post


Link to post
Share on other sites
I am wondering, if given an input from the user (a password and username), could you just check to see if someone entered a special character such as *, ', \, /, or " and just trivially reject the input and not allow those characters as valid?

Or is that what is meant by being cleaned?

Also, I was wondering, if some spcial characters are necessary, couldn't you do an entity replace like html does?

Just my two cents, I am still learning security issues myself when it comes to sql.

Share this post


Link to post
Share on other sites
Cleaning variables is easy.

$clean_username = mysql_escape_string($_POST['username']);
$clean_password = mysql_escape_string($_POST['password']);

that will escape all the nasty little \'s, ''s, "'s, etcetera for you.

Share this post


Link to post
Share on other sites
What everyone is trying to nail is that you need to filter, and then escape data before it enters the database.

If you only want to allow usernames with alphabetic and number characters, you would need to check that's exactly what the user did (otherwise they could be sending you anything!).

if(!ctype_alnum($_POST['username'])) {
echo 'bad username'; // or do something else to let user know
}

Then you need to escape this variable before sending it to the database, this help prevent SQL Injections where SQL or other special characters can be inserted into your SQL for some effect - sometimes to read, or write additional data you never intended.

$sql['username'] = mysql_real_escape_string($_POST['username']);
// do SQL statement here using $sql['username']

Important to note mysql_real_escape_string() is recommended over mysql_escape_string(). Also note there is an mysqli_* variant when using PHP5 instead of PHP4. Just a little extra "i" on all mysql functions for PHP5 and any MySQL version above 4.0.

If you want have more fun on security read http://forums.devnetwork.net/viewtopic.php?t=38810 .

Share this post


Link to post
Share on other sites

This topic is 4308 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this