So I put together a very crude login form using php and a mysql database, and I have it set (or so I think) to redirect back to the login page with a "loginFailed=true&reason=password"". I'm trying to just have it redirect back to the login, and display an incorrect password message, but instead it just redirects to the main index page.
What am I doing wrong here? Granted I borrowed heavily from some pre-existing code due to my lack of coding-knowledge, but it did work as intended for a bit before redirecting.
Here is the code:
passwordcheck.php
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form
$password=$_POST['password'];
// To protect MySQL injection (more detail about MySQL injection)
$password = stripslashes($password);
$password = mysql_real_escape_string($password);
$sql="SELECT * FROM $tbl_name WHERE password='$password'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("password");
header("location:admin.html");
}
else {
die(header("location:login.html?loginFailed=true&reason=password"));
}
?>
And here is the password field in the login page:
<span class="add-on"><i class="icon-list-alt"></i></span>
<input type="password" id="inputIcon" class="span4" name='password' id='password' maxlength="50" placeholder="<?php $reasons = array("password" => "Yo shitbird, wrong password."); if ($_GET["loginFailed"]) echo $reasons[$_GET["reason"]]; ?>" />
</div>
Try moving the header() command out of the die() call:
else {
header("location:login.html?loginFailed=true&reason=password");
die();
}
There are many other potential problems with this code, I would suggest reading a few tutorials on the subject, there are plenty out there; although be careful, there are many low-quality PHP tutorials that might teach you dangerous practices. Learning more about PHP security is important, especially if this code is going to be on a publicly accessible web server.
One of the problems is the fact that you are storing passwords in plain-text. Passwords should never be stored in plain-text, they should be salted and stored with a secure hashing algorithm. PHPass is a great utility to help with this.
Related
I'm setting up custom MFA providers for ADFS 3.0 by implementing IAuthenticationAdapter, I want to add another step in to the authentication process whereby, for example with email-based OTP, the user is first prompted to confirm his or her email address before the code is sent and then the user is prompted to enter the OTP, or perhaps the user is prompted to verify some mobile digits before sending out an SMS OTP, however the workflow in the authentication pipeline seems quite rigid, you get BeginAuthentication, OnError and TryEndAuthentication, but implementing additional steps seems much more involved.
So far I have some up with two possible solutions, and I'd like to hear if anyone as any comments or preferences, or hopefully a better way of doing this.
Call TryEndAuthentication more than once, passing a different context to represent which stage of the process should be rendered with an IAdaperPresentation.
Add jQuery and other custom scripts as text resources to the custom provider assembly and then inject them in to the IAdapterPresentationForm.GetFormHtml method to make the form dynamic and even do some in-line AJAX calls to a separate MVC / Web API service, and do the email verification before showing the user the authentication form, such that you end up with something like this...
Here's my custom script resource (Provider.txt):
function alertMe() {
$("#serviceResponse").html("It Works!");
}
And here's what I did in GetFormHtml:
var jQuery2 = Properties.Resources.jQuery2;
var script = Properties.Resources.Provider;
result += "<script type=\"text/javascript\">";
result += jQuery2;
result += "</script>";
result += "<form method=\"post\" id=\"loginForm\" autocomplete=\"off\">";
...
result += " <input id=\"alertButton\" type=\"button\" name=\"Alert\" value=\"Alert Me\" onclick=\"alertMe();\" />";
result += " <div id=\"serviceResponse\" />";
...
result += " <input id=\"continueButton\" type=\"submit\" name=\"Continue\" value=\"Continue\" />";
result += "</form>";
result += "<script type=\"text/javascript\">";
result += script;
result += "</script>";
I've not tried the first method yet, and I'm not even sure if the ADFS authentication pipeline will allow this kind of workflow.
I have tried the second method and amazingly it does work, although, as I'm sure you'll agree that from a Developer's point-of-view it's nowhere near as clean as I'd like!
So what do you think, am I missing a simple setting or interface which I could cleanly implement to do this, or is this the only way?
Is it OK to have my database call on the actual page when using PDO or is it more secure to include it as a config file? I only have 4 pages with sql queries, so I'm not concerned about putting it on each page from a time saving standpoint. Just want to make sure it is not less secure to do so like this:
$user='***'; // Enter your DB User Name.
$pass='***!'; // Enter your DB Password.
$hostName='***'; // Enter your host name.
$dataBaseName='***'; // Enter your Database Name.
$dbh = new pdo('mysql:host='.$hostName.';dbname='.$dataBaseName, $user, $pass);
echo "Connection Successful";
//Begin PDO Queries...
Saving The database credential in a config file is not going to improve any security.
It is more about code reusability. It is just good practice to avoid repetition.
I am migrating from Joomla 1.5 to WordPress and my client does not want users to have to re-register. So I am writing a WordPress plugin to match a user's password with what's in the jos_users table and then update their info in WordPress accordingly.
Everything I have read so far for Joomla's password authentication points me to the getCryptedPassword function:
http://docs.joomla.org/API15:JUserHelper/getCryptedPassword
My plugin is encrypting what the user enters the same way:
$db_password = explode(':', $query); //what's in the password field of jos_users
$salt = $db_password[1];
$string_to_be_hashed = $user_entered_pass . $salt;
$test_pass = md5($string_to_be_hashed);
$test_pass = $test_pass . ":" . $salt;
if($test_pass = query){echo "success"}
I have tested 3 accounts using this...but only 2 are authenticating.
Specifically: md5($password$salt):$salt != database password value
In the database, the password value for the account it is not working for appears to have used the same encryption and in the same format ([md5hash]:salt). I know the password is correct because I can login into the client's site with it.
In addition, I ran a search on the entire Joomla codebase for the getCryptedPassword function. In all cases, no explicit encryption method is sent - both the code and the documentation indicate that md5 is used by default.
Can anyone think of any places I should look for alternative encryption possibilities?
I have no idea where else to look or why this particular user account appears to be encrypting differently.
In Joomla Standards The encryption handles like as follow.
jimport('joomla.user.helper');
$salt = JUserHelper::genRandomPassword(32);
$crypt = JUserHelper::getCryptedPassword($password_choose, $salt);
$password = $crypt.':'.$salt;
You can run the compare thing in a separate file by loading entire joomla framework to a single file in root.
define( '_JEXEC', 1 );
define('JPATH_BASE', dirname(__FILE__) );//this is when we are in the root
define( 'DS', DIRECTORY_SEPARATOR );
require_once ( JPATH_BASE .DS.'includes'.DS.'defines.php' );
require_once ( JPATH_BASE .DS.'includes'.DS.'framework.php' );
$mainframe =& JFactory::getApplication('site');
$mainframe->initialise();
Also you cannot decrypt the Joomla password.If you know the password (original text) Then try with wordpress password fromat .
Hope this may helps..
I have a username/password on a login page, which goes to 'member' page. Basically, I used a statement that finds the number of rows in a SQL query, and if it's not 1 (the correct username/password combination), then it redirects back to the login page.
However, on the 'member' page, there are forms to do various things, like add new rows to a table using SQL, or return queries of joined tables. These forms also link back to this 'member' page, but the conditions for logging in (which requires a username variable and password variable) would no longer be met.
So, how do I get the server to remember whether a user is logged on or not?
In the application.cfm or application.cfc, you will need to enable sessionManagement = true so you can start tracking variables across page requests. Then when a user logs in, you will set a variable like isAuthenticated = true. Only redirect to the login page if the isAuthenticated = false or undefined (you can set a default using cfparam in onSessionStart of Application.cfm)
Rough example, assuming you are using ColdFusion 9+
Application.cfc
component {
this.name = 'myApplication';
this.SessionManagement = true;
public function onSessionStart() {
param name='session.isAuthenticated' default=false;
}
}
checkAuthentication.cfm
<cfscript>
if (!session.isAuthenticated) {
// send to login page
}
</cfscript>
In your login processing page, make sure you set session.isAuthenticated to true, and then it should skip checking / asking for the login. You can also look into the built-in authentication functions of CFLOGIN.
Hope that helps a bit.
Using either the phpass test program http://www.openwall.com/phpass/phpass-0.3.tar.gz , or python-phpass, and using C?*|Y[j"KQ'%gf for the plain text password, and $P$9kS6tD8tVxajypvJ5837.bt2emepD8/ as the hash, doing:
<?php
#
# This is a test program for the portable PHP password hashing framework.
#
# Written by Solar Designer and placed in the public domain.
# See PasswordHash.php for more information.
#
require 'PasswordHash.php';
header('Content-type: text/plain');
$t_hasher = new PasswordHash(8, FALSE);
$correct2 = 'C?*|Y[j"KQ\'%gf';
$hash2 = '$P$9kS6tD8tVxajypvJ5837.bt2emepD8/';
print 'Hash: [' . $hash2 . "]\n";
print 'correct: [' . $correct2 . "]\n";
$check = $t_hasher->CheckPassword($correct2, $hash2);
if ($check)
{
print "Check IF THIS WORKScorrect: '" . $check . "' (should be '1')\n";
}
else
{
print "IT FAILED!!!!!!!!\n\n\n";
}
?>
The hash was from phpBB3 (3.0.10), and when I supply that password to phpBB3, it does work correctly.
phpBB3 is supposed to be using phpass itself, doing $H$ instead of $P$.
The database entry in phpBB3 for this example is:
qlc4pi000000";0;"127.0.0.1";1351902499;"testpass";"testpass";"$H$9kS6tD8tVxajypvJ5837.bt2emepD8/";1351902499;0;"tp#inva.lid.com";266402289712;"''";1351902544;1351902499;0;"''";"''";0;0;0;0;0;0;0;"en";0.00;0;"D M d, Y g:i a";2;0;"''";0;0;0;0;-3;0;0;"t";"d";0;"t";"a";0;1;0;1;1;1;1;230271;"''";0;0;0;"''";"''";"''";"''";"''";"''";"''";"''";"''";"''";"''";"''";"''";"''";"bf4ae169a5a21313";1;0;0
The plain text password used in phpBB3 is [C?*|Y[j"KQ'%gf] and the hash (converted from phpBB3 format is [$P$9kS6tD8tVxajypvJ5837.bt2emepD8/] (both password & hash are between the [])
Can anyone shed some light on what is going on, and why this doesn't work with phpass ?
This is on the same machine that the forums are on, and again, it does work on the phpBB3 forums, so I can login fine. It just I can't authenticate with phpass externally when I access the phpBB3 database directly. It does work on other accounts though, it is only certain accounts it fails on.
Turns out the issue is, phpBB3 converts the password to use html escape codes.
Now, once the password is converted, it matches the hash stored in phpBB3.
The phpBB3 most likely applies PHP function htmlspecialchars (with no flags) to the password.
This fact noted by phpBoing was also noticed in discussion of question https://stackoverflow.com/a/12543884/1148030 .
The nonstandard identifier $H$ is useful. When $H$ is present implementation can know to apply escaping to support phpBB3.