Home > Archive > PHP Language > December 2004 > Secure PHP login
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| john henry bonham 2004-12-07, 4:01 am |
| Is it secure to just preg_match() a username form field entry and a
password form field entry against a list in a text file (assuming the
text file is in a "non-puplic" folder)? Or is that just stupid?
<?php
$username_field=$_POST['username'];
$password_field=$_POST['password'];
$userpass_string=$username_field.'_'.$password_field;
$match_strings_file="../../../(you get the idea)/userpass.txt";
$file_into_string=fopen($match_strings_f
ile,"r");
$userpass_data_string=fread($file_into_s
tring,
filesize($match_strings_file)
);
// I wrapped that onto three lines only because it's a NG post.
// Or is that just stupid?
fclose($file_into_string);
if(preg_match("/\b".$userpass_string."\b/",$userpass_data_string))
{
// successful logon...
}
else
{
// denied logon...
}
?>
userpass.txt list in the form of:
username0_password0 username1_password1 username2_password2
....etc
I'm also planning on having a grid of 10 X 10 input boxes at the logon
prompt. Only 2 would actually be for entering the username and password.
All the boxes would be type="password" giving a "hacker" a 1 in 100
chance of guessing the correct box for either the username and password.
Or is that just stupid? I'm thinking the 2 boxes would be chosen at
random each time the prompt is viewed. The current box labels would be
emailed to the known administrator. Or is that just stupid?
John Henry Bonham
(yeah right)
| |
| Richard Grove - Žed Eye Media 2004-12-07, 4:01 am |
| "john henry bonham" <with@he.ld> wrote in message
news:41b44b4f$0$216$5a6aecb4@news.aaisp.net.uk...
> Is it secure to just preg_match() a username form field entry and a
> password form field entry against a list in a text file (assuming the
> text file is in a "non-puplic" folder)? Or is that just stupid?
>
> <?php
> $username_field=$_POST['username'];
> $password_field=$_POST['password'];
>
> $userpass_string=$username_field.'_'.$password_field;
> $match_strings_file="../../../(you get the idea)/userpass.txt";
> $file_into_string=fopen($match_strings_f
ile,"r");
> $userpass_data_string=fread($file_into_s
tring,
> filesize($match_strings_file)
> );
> // I wrapped that onto three lines only because it's a NG post.
>
> // Or is that just stupid?
> fclose($file_into_string);
>
> if(preg_match("/\b".$userpass_string."\b/",$userpass_data_string))
> {
> // successful logon...
> }
> else
> {
> // denied logon...
> }
> ?>
>
> userpass.txt list in the form of:
>
> username0_password0 username1_password1 username2_password2
>
> ...etc
>
> I'm also planning on having a grid of 10 X 10 input boxes at the logon
> prompt. Only 2 would actually be for entering the username and password.
> All the boxes would be type="password" giving a "hacker" a 1 in 100
> chance of guessing the correct box for either the username and password.
> Or is that just stupid? I'm thinking the 2 boxes would be chosen at
> random each time the prompt is viewed. The current box labels would be
> emailed to the known administrator. Or is that just stupid?
>
> John Henry Bonham
> (yeah right)
Why re-invent the wheel?
Why don't you just do it the proper way?
Regards
Richard Grove
http://www.shopmaker.co.uk - UK Ecommerce Shop Systems
| |
| Andy Barfield 2004-12-07, 4:01 am |
| john henry bonham wrote:
> Is it secure to just preg_match() a username form field entry and a
> password form field entry against a list in a text file (assuming the
> text file is in a "non-puplic" folder)? Or is that just stupid?
It will work if the non-public directory is accessible to the webserver
user, and people accessing the site would not be able to read it
directly if it were outside the document root.
You should consider using a database though, rather than a flat file.
You don't give any indication of the scale of your project, but a
database approach would be far cleaner. For example, if you need to add
a new user, a flat file will need to be appended to, or edited and
rewritten. In the case of a database, inserts, edits and deletions can
occur with relative ease.
> if(preg_match("/\b".$userpass_string."\b/",$userpass_data_string))
That should do as you wish it to as you have specified word boundaries.
> I'm also planning on having a grid of 10 X 10 input boxes at the logon
> prompt. Only 2 would actually be for entering the username and password.
> All the boxes would be type="password" giving a "hacker" a 1 in 100
> chance of guessing the correct box for either the username and password.
Is that really necessary? The weakest link in any security will be valid
users. If you change the order of the boxes once a month, all you need
is the 'trusted' administrator to write the current box on a self-
adhesive-note-let-thing**.
> Or is that just stupid? I'm thinking the 2 boxes would be chosen at
> random each time the prompt is viewed. The current box labels would be
> emailed to the known administrator. Or is that just stupid?
.... and if two users view the form at the same time, your administrator
gets two emails with different boxes - whch belongs to which user? What
if a dozen or more people stumble accross your page each day, your admin
will have a few useless emails to deal with, as well as guessing which
email belongs to which *real* user.
TBH, I would look up a few tutorials on logins, look over a few scripts,
and then consider writing a database driven one.
Hope this helps,
Andy
** I used to love those things until I visited places where the server
'root' password was written on them and then fixed to the console screen
- gaaaaaaaaaaaaaaaaggghhhhhhhhhhh!
| |
| Colin McKinnon 2004-12-07, 4:01 am |
| Andy Barfield spilled the following:
> john henry bonham wrote:
> That should do as you wish it to as you have specified word boundaries.
>
My Perl might be a bit rusty, but what's to prevent someone typing in:
..*
\w
....or something else equally esoteric?
C.
| |
| Oli Filth 2004-12-07, 4:01 am |
| Colin McKinnon wrote:
> Andy Barfield spilled the following:
>
>
>
> My Perl might be a bit rusty, but what's to prevent someone typing in:
>
> .*
>
> \w
>
>
> ...or something else equally esoteric?
>
> C.
>
Exactly. The standard advice is "never pass user-input directly to
database/file-access functions". Always validate it for gayness like this
beforehand.
Oli
|
|
|
|
|