[PHP] Is this safe enough?

[wazup999]

Hello,

Long time since I've been on this forum. Well I started learning php, again lol and I understand it more then I did before. I was just wondering if this login and config script was safe enough to use? Maybe you guys could give me tips on how to make it better? thx :]

login.php

PHP Code:

<?
ob_start(); //allow cookies
session_start(); //allow sessions
include ("config.php"); //connects to the Database
include ("functions.php"); //inludes the function file

if (isset($_COOKIE['remember_panel_user'])){
$check = CHECKED;
}
if ($log != 1){ // if user is logged in
if (!$_POST[submit]){ //checks if post was submitted
//Post wasn't submitted so we show the form
echo ("
<html>
<head>
</head>
<body>
<center><form method='POST'><br>
Username: <input type='text' size='15' maxlength='12' name='username' value = '$_COOKIE[remember_panel_user]'><br>
Password: <input type='password' size='15' maxlength='12' name='password'><br>
Remember Username? <input type='checkbox' name='remember' $check><br>
<input type='submit' name='submit' value='Login'>
</body>
</html>
");
}
else
{ //post was submitted so we move on
$username = secure($_POST['username']); //sets variables and removes symbols
$password = sha1(md5($_POST['password'])); //encodes the entered password
$ticket = rand(1000000000,9999999999); //makes a ticket
$remember = $_POST['remember']; //sets variable

if (empty($username)) //if username field is empty
{
die ("<center>All fields must be filled in. (Missing username)<br> If you're not redirected in 10 secondes <a href='login.php'><font color='black'><b>Click Here</a><meta HTTP-EQUIV='REFRESH' content='4; url=login.php'>");
//die the field was empty
}

$userpass = mysql_query("SELECT * FROM users WHERE username = '$username'") or die(mysql_error());
$userpass = mysql_fetch_array($userpass); //query that selects the information

$uid = $userpass[id]; //get's the users id
$ua = sha1(md5($_SERVER['HTTP_USER_AGENT']));

if($userpass[password] != $password) { //if the password in the database equals the one entered
echo ("<meta HTTP-EQUIV='REFRESH' content='3; url=login.php'>Wrong username or password.<br><br><br>You will be redirected<br> If you're not redirected in 5 secondes <a href='login.php'><font color='black'><b>Click Here</a>");
//shows echo wrong username or password
}else{
$set_ticket = mysql_query("UPDATE users SET ticket = sha1(md5($ticket)) WHERE username = '$username'") or die(mysql_error());
//enters the ticket in the database
setcookie("panel_pass", md5($ticket), time()+3600);
//enters the password in a cookie
$_SESSION['panel_pwd'] = $password;
//enters the ticket in a session
$_SESSION['panel_uid'] = $uid;
//enters id in a session
$_SESSION['panel_ua'] = $ua;
//enters the users HTTP AGENT in a session for security reasons

if ($remember != on){ //if the remember me box was checked
setcookie("remember_panel_user", "", time()-9999); //destroy the remember me cookie
}else{
setcookie("remember_panel_user", "$username", time()+9999); //enter the username in a cookie
}

echo ("<center><meta HTTP-EQUIV='REFRESH' content='0; url=login.php'><br><br>You will be redirected<br> If you're not redirected in 10 secondes <a href='login.php'><font color='black'><b>Click Here</a>");
//If everything is ok refresh the page
}
}
}
else
{
echo("Hello $logged[username], how are you today?<br><a href='logout.php'>Logout</a>");
//Show page content
}
?>

config.php

PHP Code:

<?php
ob_start(); //allow cookies
session_start(); //allow sessions

session_regenerate_id(true); //gives the user a new session id

$conn = mysql_connect("localhost","",""); //Database connection information
mysql_select_db() or die(mysql_error()); //Database query

$check_ticket = sha1($_COOKIE['panel_pass']); //Encode's session ticket

$logged = MYSQL_QUERY("SELECT * from users WHERE id = '$_SESSION[panel_uid]'"); //Query
$logged = mysql_fetch_array($logged);
      
if ($_SESSION['panel_pwd'] != $logged['password']){ //Check to see if the cookie pwd is equal to the user's password
echo ("Wrong username or password.<br><br>You will be redirected<br> If you're not redirected in 10 secondes <a href='login.php'><font color='black'><b>Click Here</a>");
}elseif (!isset($_SESSION['panel_ua'])){ //Checks to see if session exists
}elseif ($_SESSION['panel_ua'] != sha1(md5($_SERVER['HTTP_USER_AGENT']))){ //Compares the session user agent with his current 1
echo ("<center>Session has died.<br>Please login again.");
session_destroy(); //destroys the cookie
exit(0);
}elseif ($check_ticket != $logged['ticket']){ //compares the ticket in the session and the one in the database
echo ("<center>Session has died.<br>Please login again.");
}else{
$log = '1'; //puts log to 1 because the user is logged in
}
?>

Thanks,
Waz

[Jackboy]

Im no expert on sessions but please post functions.php so we can see Secure();

[wazup999]

Here's the fnction page :]

PHP Code:

<?php
function secure($str) {
$str = strip_tags($str);
$str = htmlspecialchars($str);
$str = trim($str);
$str = stripslashes($str);
$str = mysql_real_escape_string($str);
return $str;
}
?>

Waz

[Jackboy]

Here's the fnction page :]

PHP Code:

<?php
function secure($str) {
$str = strip_tags($str);
$str = htmlspecialchars($str);
$str = trim($str);
$str = stripslashes($str);
$str = mysql_real_escape_string($str);
return $str;
}
?>

Waz

You don't need stripslashes unless u have used addslashes somewhere i believe.

All you really need is mysql_real_escape_string to secure it for db, but obviously removing html you will need what you have. Yeh it looks like a safe function

[wazup999]

Ok thanks,
I was always to strip slashes on another forum or maybe it was strip tags? lol

But I also wanted to know if it was safe enough so people can't steal a person's session id or cookies or login info. I've read many blogs and forums talking about id fixation and stealing cookies, etc. So I also want to know how to make it safer in that area too.

Thanks again, lol
Waz ;]

Merged by Meti (Forum Moderator): Due to forum lag

[Iszak]

Jackboy, gpc magic quotes is on by default this means all GET, POST and COOKIE are add slashes although magic quotes sybase will overwride thing. I see an ever increasing number of people using this despite not realising that their code is likely to be slashes already so it ends up being double slashes you might want to look into this wazup999.

[wazup999]

If I understand what you are saying, if i would write /" it would come out as //"?

I'm not sure if that is what you meant lol

I'm really paranoid with security :] I want to learn the most I can about making a secure script before going into making cool and very useful scripts. If you want something good well you need to protect your users right?

Waz ;]

[Iszak]

no what I'm saying is if gpc magic quotes is enabled and not overwritten your say input if it was like "It's a nice day" it would be slashes automatically and become "It\'s a nice day", so by doing it a second time (your own addslashes) it will become "It\\'s a nice day".

[wazup999]

Oh my lol
That would be kind of funny wouldn't it? x]

Well guess I'd better leave that there right?

Thanks again,
Waz ;]

[Iszak]

Well again it's up to you some servers has it enabled or not you can look at the function get_magic_quotes_gpc to see if it's enabled but again it is overwritten with magic quotes symbase so also check what magic_quotes_sybase is set to. Yeah it's a pain It's not hard if you're only developing for yourself, if that's the case simply escape if your server has it disabled if not don't escape it.