Is it really secured ?

kangaxx

It's a authentification form but i dont think it's very secured, so i would like to know how i can ameliorate the security of this authentification :

// The form

<form method="post" action="identification.php">
<table border="0" cellpadding="2" cellspacing="0">
<tr>
<td align="right">ID :</td><td align="left"><input type="text" name="identifiant"></td>
</tr><tr>
<td align="right">Mot de passe :</td><td align="left"><input type="password" name="password"></td>
</tr><tr>
<td align="center" colspan="2"><input type="submit" value="S'identifier" name="action"></td>
</tr>
</table>
</form>

// The php script
$identifi="0";

// we check if the form has been validated
if(isset($POST[action])) {
if(empty($POST[identifiant]) OR empty($POST[password])) {
echo "<i>Fields empty</i><br><br>";
} else {
$select="SELECT * FROM membre WHERE id='$POST[identifiant]' AND password='$POST[password]'";
$query=mysql_query($select);
$numrows=mysql_numrows($query);
if($numrows!="1") { echo "<i>Authentification Error</i><br><br>"; }
else {
$SESSION[identifiant]=$POST[identifiant];
$SESSION[password]=$_POST[password];
$nom=mysql_result($query,"0","nom");
$prenom=mysql_result($query,"0","prenom");
$identifi="1";
}
}
}

// we check if the session already exists
elseif(!empty($SESSION[identifiant]) AND !empty($SESSION[password])) {
$select="SELECT * FROM membre WHERE id='$SESSION[identifiant]' AND password='$SESSION[password]'";
$query=mysql_query($select);
$numrows=mysql_numrows($query);
if($numrows=="1") { $identifi="1"; }
}

if($identif=="1") { blabla bla.... }
else { echo "youre not identified"; }

Thank you in advance (sorry for my english)

FMB

depending on the php.ini, you could check for magic quotes.
If magic_quotes_gpc is set to false, then this login is not secure and you should use the addslashes() around the id and password.

} else { 
  if (!ini_get('magic_quotes_gpc')) {
    $id=addslashes($_POST[identifiant]);
    $passw = addslashes($_POST[password]);
  } else {
    $id=$_POST[identifiant];
    $passw = $_POST[password];
   }    

   $select="SELECT * FROM membre WHERE id='$id' AND password='$passw'";

Also, get a program like Crimson Editor and use it. It will indent you code and makes it 100% more readable ;-)

kangaxx

ok, im going to check for magic quotes.
And thank you for this software, but i found phped, its not bad too 😉

And i would like know if i can encrypt the id and the password for example with md5 to avoid someone can take these one when we validate the form.

FMB

you SHOULD encrypt the password with md5. Store it encrypted in your database (field width must be 32 !!).

misterjoey5000

Another question about security. If you make a log-in form, you ask a person for his or her password. He or she types that password in the password field and clicks "submit". The password then goes raw over the internet to the page were it is checked and encrypted to md5.

Is there a way to make this process secure, so a way to encrypt the password even before it is sent over the internet?

Weedpacket

Originally posted by misterjoey5000
Is there a way to make this process secure, so a way to encrypt the password even before it is sent over the internet?

Little point just encrypting the password and sending it; if you've got someone snooping the internet connection, they only need to capture the encrypted password and send it themselves.

If packet sniffing is a potential problem, SSL would be a more secure approach. You could emulate it with some serious challenge-response traffic back and forth, but the effort of coding it (and its assumption of Javascript running on the client) is probably so expensive that it would be cheaper just to use SSL and be done with it.

drawmack

patUser has come up with a really neat solution to this problem. For more information see:
http://www.devshed.com/c/a/PHP/User-Authentication-with-patUser-part-1/
http://www.devshed.com/c/a/PHP/User-Authentication-With-patUser-part-2/
http://www.devshed.com/c/a/PHP/User-Authentication-With-patUser-part-3/

misterjoey5000

Originally posted by Weedpacket
Little point just encrypting the password and sending it;

Well, I've been thinking about that, but how do I do that? Because when the page loads, there's no password in the form yet, and as soon as I press the button, it send the raw password over the network...

I have got SSL, but I'm not sure whether that's really secure. My hosting provider has some trouble in maintaining the SSL...

drawmack

try reading the articles I posted links to. patUser gives the person a token and then they encrypt the password and the token. Tokens expire quickly so even if a hacker steals the password and token encrypted it will only work for a brief period.

misterjoey5000

right, thanks. I've got the article printed and I'll read it tonight. Thnaks a lot! I'll tell you if it was what I've been looking for 🙂.