Re: [PHP] Password Protection] -- My solution

2005-02-18 Thread Christophe Chisogne 
Mailit, LLC a écrit :
   $userName = $_POST[userName];
   $passw= $_POST[passw]; 
(...)
   $cmd = "SELECT * FROM theTable "
   .  "WHERE userName='$userName' ";
   $res = mysql_query( $cmd ) or die( "Password search failed." );
Without validating userName in $_POST, that code is vulnerable
to SQL injection, by example if userName starts by a single quote...
See the PHP Security Guide on 'SQL Injection'
http://phpsec.org/projects/guide/3.html#3.2
   $passe = crypt( $passw, $rec[ePass] );
   if( $passe == $rec[ePass] ) 
I seems that the above vulnerability cant be exploited,
but I think it's better to be aware of it.
Christophe
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Password Protection] -- My solution

2005-02-17 Thread Mailit, LLC 

--- Begin Message ---
Here is the setup that I have used.
Please, adapt to your needs.
Table 'theTable' is supposed to contain columns fname, mname, lname
and ePass (encrypted password). The crypt() function produces a password 
that
cannot be decrypted and really works well.
Of course, you need to use crypt() in the PHP script that creates a row in
'theTable'.


#-- code starts here 
-#
$action = $_POST[action];
if( !empty( $action ) )
{
   $userName = $_POST[userName];
   $passw= $_POST[passw];

   # Bring the encrypted password and creation date from database:
   $cmd = "SELECT * FROM theTable "
   .  "WHERE userName='$userName' ";
   $res = mysql_query( $cmd ) or die( "Password search failed." );
   $numRows = mysql_num_rows( $res );
   if( $numRows == 0 )
   {
   print( "$userName not a valid user name." );
   exit;
   }
   $rec = mysql_fetch_array( $res );
   $privLevel = $rec[level];
   $nome = $rec[fname]." ".$rec[mname]." ".$rec[lname];
   # Encrypt the password:
   $passe = crypt( $passw, $rec[ePass] );
   if( $passe == $rec[ePass] )
   {
 /* Bring up the home page */
 print( "WELCOME TO MY HOME PAGE" );
   exit;
   }
   else
   {
   $retry = 1;
   }
}
   if( $retry )
   print("Incorrect Login - Please, try again.");
   ?>
   
   
   
   
   
   User Name :
   
   
   
   
   
   Password :
   
   
  
   
   
   
   
   
   
   

Mario


Kevin Javia wrote:
I am experimenting on my site and I want to make it password protected like
www.realsolution.com.
If any one enters correct user name and password, only then they will be
able to enter into my site.
How can I do that in PHP?
Any ideas? Thanks a ton in advance.
 



--- End Message ---
-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Password Protection

2005-02-16 Thread Joe Wollard 
Kevin,
I'm having some issues with my email client right now so I'm sorry if 
you've already found the answer. There is a way for PHP to do this 
without the need to modify your web server's configuration or bothering 
with .htaccess/ .htpasswd files by simply modifying the http headers 
that your pages produce. I'm not about to try to give you a working 
example as the fine folks at phpmyadmin have already done this in the 
form of an authentication library. If you have phpMyAdmin installed look 
in the "libraries/auth" directory for a file called "http.auth.lib.php". 
If not you can get it from www.phpmyadmin.net

Like I said, it is in library form so you can use it in your program as 
well (be sure to give credit  per the GPL) but I haven't done so, so I'm 
not sure how much modification might be needed.

Cheers!
Bret Hughes wrote:
On Wed, 2005-02-16 at 21:31, Kevin Javia wrote:
 

I am experimenting on my site and I want to make it password protected like
www.realsolution.com.
If any one enters correct user name and password, only then they will be
able to enter into my site.
How can I do that in PHP?
Any ideas? Thanks a ton in advance.
   


Chances are this is not a php thing at all but uses the webserver's
authentication infrastructure.  It depends on the server being used. 
The apache manual has a very good write up on authentication options
available:

See if this gets you started:
http://httpd.apache.org/docs-2.0/howto/auth.html
Bret

Re: [PHP] Password Protection

2005-02-16 Thread Burhan Khalid 
Kevin Javia wrote:
I am experimenting on my site and I want to make it password protected like
www.realsolution.com.
http://www.zend.com/zend/tut/authentication.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Password Protection

2005-02-16 Thread Bret Hughes 
On Wed, 2005-02-16 at 21:31, Kevin Javia wrote:
> I am experimenting on my site and I want to make it password protected like
> www.realsolution.com.
> 
> If any one enters correct user name and password, only then they will be
> able to enter into my site.
> 
> How can I do that in PHP?
> 
> Any ideas? Thanks a ton in advance.


Chances are this is not a php thing at all but uses the webserver's
authentication infrastructure.  It depends on the server being used. 
The apache manual has a very good write up on authentication options
available:

See if this gets you started:

http://httpd.apache.org/docs-2.0/howto/auth.html


Bret

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Password Protection

2005-02-16 Thread Kevin Javia 
I am experimenting on my site and I want to make it password protected like
www.realsolution.com.

If any one enters correct user name and password, only then they will be
able to enter into my site.

How can I do that in PHP?

Any ideas? Thanks a ton in advance.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] password protection/encryption

2003-12-06 Thread Chris Mach 
Greetings,

I'm working on a project that involves a password protected area of a
website. Some one also involved brought up the point that this area should
be secure (Whit the lock icon indicating it is encrypted).

In this particular project the password protected area will be a quote
generating system for a company. Users would log in and choose the products
they are interested in purchasing and the site would generate a quote
depending on what they selected from the list of products.

So my question is..

 At what point is encryption necessary? I've always thought encryption was
only needed when dealing with stuff like credit card information, am I
wrong?

 How secure is a password protected page done with just PHP?

Thanks
Chris

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] password protection

2001-01-25 Thread James Atkinson 

The only way to keep a password secure between the client and server is to
use a Secure Socket Layer (SSL) to create an encrypted channel of
communication between the client and server. You can see this in practice
over at Sourceforge.net. They use PHP over an SSL connection to handle user
logins.

Do a seach on Google for 'SSL' and start reading :)

- James

> -Original Message-
> From: Bill Rausch [mailto:[EMAIL PROTECTED]]
> Sent: January 25, 2001 4:54 PM
> To: [EMAIL PROTECTED]
> Subject: [PHP] password protection
>
>
> Hi all,
>
> This isn't strictly a PHP issue but is quite related.  Given that you have
> a PHP-driven web site with user authorization and session
> identifiers etc.,
> what can you do to prevent electronic "snooping" of the clear
> text password
> that is passed from the browser to the server?  When filling out a form,
> for example:
>
> Enter your user name and password:
> ...
> 
> User Name:
> 
> 
> Password:
>  MAXLENGTH="15">
> 
> 
> 
> ...
>
> the TYPE="password" makes sure the browser doesn't echo the password as it
> is typed but it is still sent to the web server as clear text.  How do
> folks deal with this issue?
>
> Thanks,
> Bill
> ---
>  Bill Rausch, Software Development, Unix, Mac, Windows
>  Numerical Applications, Inc.  509-943-0861   [EMAIL PROTECTED]
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

[PHP] password protection

2001-01-25 Thread Bill Rausch 

Hi all,

This isn't strictly a PHP issue but is quite related.  Given that you have
a PHP-driven web site with user authorization and session identifiers etc.,
what can you do to prevent electronic "snooping" of the clear text password
that is passed from the browser to the server?  When filling out a form,
for example:

Enter your user name and password:
...

User Name:


Password:




...

the TYPE="password" makes sure the browser doesn't echo the password as it
is typed but it is still sent to the web server as clear text.  How do
folks deal with this issue?

Thanks,
Bill
---
 Bill Rausch, Software Development, Unix, Mac, Windows
 Numerical Applications, Inc.  509-943-0861   [EMAIL PROTECTED]

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]