brucemand Posted July 20, 2011 Share Posted July 20, 2011 just want to be sure that i have grasped (potential) "injections" correctly.obviously this is simplistic; function accessadmin() { var adminaccess = prompt("Enter admin access"); if (adminaccess=="iMdL0RDthyG0D") window.location.assign("adminpage.php") } and best practice would be to ensure input is alphanumeric only.but am i correct in understanding that since the input, assigned to adminaccess is only being compared and not further processed, that there is no danger of injection occurring ? Link to comment Share on other sites More sharing options...
justsomeguy Posted July 20, 2011 Share Posted July 20, 2011 You're not doing anything with the input that would cause a problem, but I just want to point out that this approach is not secure as a login system. Link to comment Share on other sites More sharing options...
Ingolme Posted July 20, 2011 Share Posted July 20, 2011 You're right. There's no problems with injection there. But I'll tell you that anybody can access your admin page by looking at your source code. Link to comment Share on other sites More sharing options...
jeffman Posted July 20, 2011 Share Posted July 20, 2011 Dude! I gave you a perfectly useful login framework yesterday. Try to use it. Be aware that you are not limited to storing login data in a database. A simple flat file will work. Here is a function that will do it for you. (I'm just copy/pasting this stuff, BTW.) function user_is_true ($username, $password) { $password = sha1($password); $lines = file('security/data.txt', FILE_IGNORE_NEW_LINES); if (count($lines) == 0) { return false; } foreach ($lines as $line) { list($u, $p) = explode("\t", $line); if ($username === $u && $password === $p) { return true; } } return false;}// execute it like thisif (user_is_true($_POST['user'], $_POST['password']) ) { // login this guy} If you don't know the sha1(), file(), count(), list(), and explode() functions, look them up.That code assumes your login data file looks like this: 5h00m9ty c22b5f9178342609428d6f51b2c5af4c0bde6a42ziggypl8guitar 78c9a53e2f28b543ea62c8266acfdf36d5c63e61ImDeeE66M4N f3e731dfa293c7a83119d8aacfa41b5d2d780be9 Where each user record ends with a linebreak, the username and password are separated by a tab, and the password is a sha1 hash of the user's plain text password.I am also assuming that the directory where the login file lives is in fact secure.Oh, yeah. No database involved, so no threat of injection. Link to comment Share on other sites More sharing options...
brucemand Posted July 21, 2011 Author Share Posted July 21, 2011 You're not doing anything with the input that would cause a problem, but I just want to point out that this approach is not secure as a login system.yes, i understand that much, was just making sure i fully understood it.one does try to achieve a state of never being addressed by boen_robot ! You're right. There's no problems with injection there. But I'll tell you that anybody can access your admin page by looking at your source code.heh-heh, i know that too, while this project is going live, it's really targetted to a select group of users who know one another, a few of whom will be said "admins"; in a way, it's sort of bait to see which of these group of users are tech-savvy enough to "View Source" - i have another security layer for them afterwards, you see ! Dude! I gave you a perfectly useful login framework yesterday. Try to use it. Be aware that you are not limited to storing login data in a database. A simple flat file will work.sorry, "Dad" - please don't be disappointed ! this project does not require a robust login system, that said, i do want to know if there are any threats with that "simple system" that i did not consider from my lack of experience. (eg. if someone from outside the group were to find the site)i am infact using a '.txt' file to store the "username" and "userpwd".a further question would be, if the reading & accessing of said text file all happens server-side, there is no way any visitor can access that file, right ? (outside of guessing what the file is actually called - and even then they would need to conjure up appropriate 'permissions' - and that would be hacking the host, right ? )Here is a function that will do it for you. (I'm just copy/pasting this stuff, BTW.)function user_is_true ($username, $password) { $password = sha1($password); $lines = file('security/data.txt', FILE_IGNORE_NEW_LINES); if (count($lines) == 0) { return false; } foreach ($lines as $line) { list($u, $p) = explode("\t", $line); if ($username === $u && $password === $p) { return true; } } return false;}// execute it like thisif (user_is_true($_POST['user'], $_POST['password']) ) { // login this guy} If you don't know the sha1(), file(), count(), list(), and explode() functions, look them up.That code assumes your login data file looks like this: 5h00m9ty c22b5f9178342609428d6f51b2c5af4c0bde6a42ziggypl8guitar 78c9a53e2f28b543ea62c8266acfdf36d5c63e61ImDeeE66M4N f3e731dfa293c7a83119d8aacfa41b5d2d780be9 Where each user record ends with a linebreak, the username and password are separated by a tab, and the password is a sha1 hash of the user's plain text password. thanks for that "template" - much appreciated. i do know all those methods quite well, and only sha1() is new, but i'm aware of it for encryption, and that would be my next step in my learning - this is how my code grows organically, as i learn to use sha1(), i will incorporate it into that project, slowly changing the plain text file to one that is encrypted.I am also assuming that the directory where the login file lives is in fact secure.if it's on a free web hosting service, what settings should i be looking at in particular ?Oh, yeah. No database involved, so no threat of injection.no SQL injection, but there are other types of "injection" - if i'm using the term correctly.for example, a <textarea> (or even an <input> ) without any input-checking/validation can manipulate the DOM, albeit only on the client-side, but if it's echo'd by PHP, then that would be an "injection" also ? Link to comment Share on other sites More sharing options...
jeffman Posted July 21, 2011 Share Posted July 21, 2011 If your server is an apache server (it probably is) then a simple .htaccess file in your secure directory will handle it. This is the only text that goes in the file:Deny from allThe rule does not apply to your internal file system operations.---sql injection can happen during any kind of sql query. Injecting HTML or even JavaScript can only happen during an operation that saves text to a file or database and then outputs it again as part of an HTML document. Obviously, you want to guard against unwelcome HTML, but it's not the sort of thing that will take you by surprise. You'll know if you're saving data that will be outputted. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.