Try out my first PHP web app!

[__]

//query the database to see if the username enterd by the user exists
//after the DB grabs any username that would match, use num_rows to return a value of //if num_rows returns a value greater then 0; run a query to validate the passwords.

There’s not really any point in this. Just query for the hash that matches the username: if there’s no match for the username, you’ll get an empty result.

Also, you are still putting user-provided values directly into you SQL statement. This is a severe vulnerability. I could do whatever I like with your database. I strongly recommend you use prepared statements.

The code you posted here could be more succinctly rewritten as:

<?php
session_start();

require 'connection.php';
$stmt = mysqli_prepare( 'select password from users where username=?' );
mysqli_stmt_bind_param( $stmt,'s',$_POST['username'] );
mysqli_stmt_execute( $stmt );
mysqli_stmt_bind_result( $stmt,$hash );
mysqli_stmt_fetch( $stmt );

if( password_verify( $_POST['password'],$hash ) ){
    // GOOD
}
else{
    // BAD
}

* I prefer (and recommend) object-oriented style, but I’m using the procedural style here since you seem more comfortable with it.

Your password creation script might look something like this (with any other desired logic/checks/parameters added):

<?php
session_start();

require 'connection.php';
$stmt = mysqli_prepare( 'insert into users(username,password) values(?,?)' );
$newhash = password_hash( $_POST['password'],PASSWORD_BCRYPT,array('cost'=>12) );
mysqli_stmt_bind_param( $stmt, 'ss', $_POST['username'], $newhash );
if( mysqli_stmt_execute( $stmt ) && (mysqli_stmt_affected_rows( $stmt ) === 1) ){
    // worked
}
else{
    // didn't
}

[__]

I saw online that some people mix the 2 unsecure sha1 and md5 hash functions to make something prettty secure. Is that true

No, certainly not.

One of the principles you need to work by is that knowing your hashing procedure should not be of any help in breaking it. Put another way, if your password handling is “secure,” you should be able to publish your script without worry. As soon as one knows (realizes, guesses) that you’re doing “md5,sha1,md5”, it’s just as easy to crack as before.

Bcrypt really is the least you should be using. If you share the script that you couldn’t get to work, we might be able to figure out what was going wrong. What version of PHP do you use?

[__]

instead of comparing passwords with the hash, you were comparing the string literal '$login_pass'.
—BenWalker

@drose379, this is exactly what I’ve been trying to get at: as soon as you shared the actual code you were using, someone found the mistake.

Therefore:

what do you think the reason is that the form does not accept apostrophies?

No idea. Show us the code if you want help.

Im thinking its because of the strip_tags($username) I have in there.

Why would strip_tags affect apostrophes in any way?

I used a framework called PHpass which has a pretty good reputation.

It does have a good reputation, which was well earned… when md5 and sha1 were the standard. Provided you are using the most current release, and are ensuring that it is using bcrypt, it should be fine… no better, but fine.

The password functions are still recommended. They present a more streamlined process, and do not offer the less secure “fallbacks” that phpass supports. Since you’re using 5.5 you’ll also benefit from using a core function: ongoing development, security patches, and so forth.

[__]

How did someone register with a username containing <script> tags?

I’ll explain exactly how. Show us the script that handles registration.

In the meantime, think carefully about every spot on your site where you print out usernames and how you do it.

[__]

Enough. Stop asking about code only you can see. You have multiple people who’ve offered to help – persisting with these sorts of questions but no code is becoming rude.

[chrisburton]

I would post the code to my forum page, but I want to re write it first. I think its a bit messy at the moment.

Post it here, not on your forum. No one is going to switch to another forum just to see your code or to continue this discussion. That would be pointless and creates more headaches.

Just make sure if you need further help that you provide your code before anything else or I’m sure everyone will become increasingly annoyed and move on.

[__]

@BenWalker

+1

[__]

I don’t know why you guys keep going back to The code when I’m not asking for code based feedback. I was simply asking you to tell me if a feature works.

We cannot know if a feature “works” by trying it out a few times. Maybe a few hundred times (maybe), but I think you’ll understand when I say that it’s unreasonable to expect people to do that. Even if we were to commit that kind of effort, behind-the-scenes all kinds of things might be going wrong that aren’t readily apparent to us.

You actually have a better chance of finding problems through front-end testing, because you know how it works and what is supposed to/ not supposed to happen.

A code review is more likely to find problems and lead to useful solutions. If you’re worried about the quality of your code: no one is here to make fun of you; we’re offering to help. If you’re worried that disclosing your code will create a security risk: if so, then then your code already is at risk, and a review will help fix it.

I could see where you are coming from if I was asking you what was wrong with my code, and then showing no code. But I’m simply asking you to test a feature.

This is not true. By asking us to determine if a feature “works,” you are indeed asking whether the code works.

Usability testing is useful if you’re ironing out the UI/ UX. It’s not useful at all for finding bugs/problems is your back-end code. You’re asking the exact opposite: “ignore the unfinished UX, tell me if the backend works.”

To be blunt, a code review would not be a waste of time.

[__]

I’m not trying to be rude. I hope I haven’t caused offense. I am honestly concerned that this approach has been a waste of your time …not what I would want.

[__]

I’m glad you’re finding the process useful.

As am I.

`<html>
…
<?php
session_start();`

Have you tried this?

You need to start your session before sending any output to the browser. A while back, I was discussing the basics of how HTTP actually works — might be helpful for you.

In general, to avoid problems like this (and others; e.g., error handling), I like to make sure all of my “business” logic —i.e., code that “does” stuff— comes first, and all of my “view” code —code that displays stuff— comes last.

Before, I was using POST methods …

Using GET is entirely appropriate, in this case. The difference between GET and POST is actually very simple. GET is for getting information from the server. Think of it as access. POST is for giving information to the server (i.e., adding/changing data). Think of it as writing, or saving.

`$var = $_GET[‘titleval’];
$query = mysqli_query($con, “SELECT * FROM forum WHERE post_title = ‘$var'”);`

This code is vulnerable to SQL injection and/or errors. As a harmless (but scary) example, I can write my own SQL like so.

Never trust user input. It would be best if you used prepared statements, instead of building your query with variables. But at the very least, you need to sanitize the variables that hold user input (i.e., using mysqli_real_escape_string).

You later echo the same variable ($var), which is an XSS vulnerability. The appropriate sanitization function there is htmlspecialchars.

[__]

I want to start getting deeper into security …

Two very simple rules.

1. Never trust the user
2. that’s it

[__]

“this” site? css-tricks?

Sometimes… but nothing serious. and not recently. Just the amount of traffic it gets, for the most part.

Yes, it does use MySQL. MySQL isn’t really “outdated.” It does a lot of nonstandard things, and its default settings are not optimum, but it’s still a fine program and under active development. If you’re interested, you might look at MariaDB. It’s a drop-in replacement.

[__]

Depends on what you make use of. For example, do you use foreign keys in your database design? indexing? prepared statements? or do you do everything via phpMyAdmin, and usage is limited to simple select/insert/update statements?

Maria has great benchmarks, and I am very pleased with its performance, but some (on this forum, in fact, but I forget who) saw worse performance overall… I couldn’t say what caused it, though.

[__]

is using phpmyadmin to monitor the database bad practice?

it’s not “bad,” but it’s fairly superficial. I was only asking because, if you’re using phpMyAdmin, it is likely that you’re not using your database in a way where you would notice the differences between MySQL and Maria.

What do you mean by “indexing” and “foreign keys”

You’re asking how a database works. It’s far to broad a topic. If you’re interested, great! Go study, come back with questions. In the meantime,

• an index is like an index in a book.

Think of a phone book: if you want to find John Smith’s phone number, you don’t start at page one and read until you find it. You look up a page number in the index and flip to the “S” section.

Likewise, if your database is indexed well, the DB doesn’t need to read every row to find those that match your query.

• a foreign key describes relationships between data.

Databases like MySQL are relational databases: they hold data, but their true purpose is to describe relationships between that data so it can be examined in a meaningful way. Every table in your database should describe one specific thing, and nothing else: items/concepts/whatever can be related, but they are separate. Foreign key constraints are how DBs describe those relationships.

For example, a person might have a phone number, but a phone number isn’t something that describes the person: it’s something the person owns. It doesn’t belong in the person table, it belongs in its own phone number table, with a foreign key that indicates which person it belongs to.

Do you want a screenshot of what my phpmyadmin looks like?

No.

If you’d like me to look at how your database is designed, you can do a query like
show create table name_of_your_table_goes_here;
for all the tables in question, and show me the results from that. You can use phpMyAdmin to run this query, of course.

[__]

Use whatever tool gets the job done… At this stage, I would actually recommend using phpMyAdmin

Yeah. phpMyAdmin is not “professional” or “novice” in and of itself. It’s a good tool and will let you do what you need to do in a convenient and mostly efficient way.

do you like having beta testers?

Absolutely. Beta testers aren’t strictly for “finding bugs,” however. They will find some, but their main use is assessing how well-designed your various process are (for example, Soronbe’s comment about not being able to create a new message is a great “beta tester” revelation that your [new post] button might not be in the most obvious/convenient place).

If you’ve mostly got friends as a resource, there’s also the idea of “hallway testing,” which is just grabbing a few people, showing them the website, and giving them a task to complete. Ask them to talk about it while they’re doing it. Don’t give feedback or instructions (leave the room, if possible), but watch how they approach the task, what they stumble on, what they get right, and so forth.

[Author]

Posts