[PHP] Is this safe enough?

wazup999 · 07-11-2008, 02:34 AM

Well I don't really know what I'm going to use it for.
I've been thinking of a djpanel but that's already been done by a gazillion people.

So I might try to make a website with it on my own. But before that I have to make the securiest system lol If the login page and config page aren't safe then the users wont be either.

Php can be easy but you always have to think about the security :]

Waz ;]

~~Calon~~ · 07-11-2008, 10:08 AM

Don't use shorttags! :rolleyes:

wazup999 · 07-11-2008, 09:20 PM

Lol thanks,

I didn't really see that

Waz ;]

~~Jackboy~~ · 07-11-2008, 09:36 PM

Originally Posted by Iszak

Jackboy, gpc magic quotes is on by default this means all GET, POST and COOKIE are add slashes although magic quotes sybase will overwride thing. I see an ever increasing number of people using this despite not realising that their code is likely to be slashes already so it ends up being double slashes you might want to look into this wazup999.

POST & GET :S

I didn't know that as i have never used stripslashes on them before.

Tomm · 08-11-2008, 12:58 PM

Only had a quick glance but I noticed you are regenerating the session ID on every page load. Do not do this as you effectively break the client browser's back button and its not needed. Regenerate the session ID only when the privileges of the client are altered (e.g when logged in)

Jxhn · 08-11-2008, 01:42 PM

Seems pretty secure to me. There's not much point in using striptags and htmlspecialchars. One or the other will do. The secure function strips the slashes added by magic_quotes, if there are any and then adds them itself, so thats okay. An alternative would be to see if magic_quotes was on or not and decide whether to add them depending on that, like Iszak said.
I don't really see much point in the tickets. The useragent idea is good, but won't stop someone who knows how it works from using stolen cookies. There isn't anyway cookies could be stolen from what I've seen of the script so far though.

Trigs · 08-11-2008, 11:16 PM

Well it's not safe anymore now that everyone on this forum can see it.

Jxhn · 09-11-2008, 10:24 AM

Originally Posted by Fazon

Well it's not safe anymore now that everyone on this forum can see it.

Doesn't mean it's not safe. Just means it would be easier for someone to find vulnerabilities, if there were any.

wazup999 · 09-11-2008, 08:30 PM

@Fazon: I know the risks when I post things on a forum. This is my first login script I've ever done. So of course I'm going to have to re-write it.

@Jxhn: I always wondered if it was bad to make the id regenerate the ID on refresh, didn't think it was really that good. And I'm still figuring out the magic quotes thing. The ticket only notices you that someone has logged in to your account and unluckily has the same ua as you.

I still feel like it could be even safer. Guess I'll have to search on google

Waz ;]

Thread: [PHP] Is this safe enough?

Thread Tools

Posting Permissions