Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    Senior Coder twodayslate's Avatar
    Join Date
    Mar 2007
    Location
    VA
    Posts
    1,042
    Thanks
    67
    Thanked 39 Times in 39 Posts

    Is this easy to crack?

    http://www.totallyphp.co.uk/scripts/...ect_a_page.htm

    I always thought that this is not a good way to password protect a site but it seams like this is popular.

    Any links to alternatives?
    twitter | Quality Hosting - $5.95/mo*
    Feel free to PM me!

  • #2
    New Coder
    Join Date
    Jan 2008
    Location
    Portugal
    Posts
    17
    Thanks
    0
    Thanked 2 Times in 2 Posts
    Hi, this is crackable only if someone has access to your source code (ie. ftp access), otherwise it's not possible to view the data.

  • #3
    Senior Coder twodayslate's Avatar
    Join Date
    Mar 2007
    Location
    VA
    Posts
    1,042
    Thanks
    67
    Thanked 39 Times in 39 Posts
    OK thanks.

    Everytime I access the page though I have to retype the password. Is there one out there that has a cookie or something so it remembers you?
    twitter | Quality Hosting - $5.95/mo*
    Feel free to PM me!

  • #4
    Regular Coder
    Join Date
    Aug 2002
    Location
    Oregon, United States of America
    Posts
    882
    Thanks
    1
    Thanked 9 Times in 9 Posts
    First of all you'll need to look at how limiting that script is. That will only work for password protecting one page, and in addition to that, every time you refresh the page, you'll need to resend the POST data, or you will be "logged out."

    If you are looking to password protect anything of real value, or multiple pages, or if you need login logging, mutiple users, login time outs, etc. etc. etc. this is not the way to go.

    This is some what secure for the average 14 year old "hacker" but it can easily be brute forced, and without tracking, you would never know it.

    Find something else.
    If I'm postin here, I NEED YOUR HELP!!

  • #5
    Senior Coder twodayslate's Avatar
    Join Date
    Mar 2007
    Location
    VA
    Posts
    1,042
    Thanks
    67
    Thanked 39 Times in 39 Posts
    twitter | Quality Hosting - $5.95/mo*
    Feel free to PM me!

  • #6
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    PHP_SELF is susceptible to XSS, you should change it to something more like SCRIPT_NAME instead.
    Cookies are client side and your script will allow them to inject your SQL on the first block of the code - don't trust that magic quotes GPC is enabled:
    PHP Code:
    // Connects to your Database
    mysql_connect("your.hostaddress.com""username""password") or die(mysql_error());
    mysql_select_db("Database_Name") or die(mysql_error());

    //Checks if there is a login cookie
    if(isset($_COOKIE['ID_my_site']))

    //if there is, it logs you in and directes you to the members page
    {
    $username $_COOKIE['ID_my_site'];
    $pass $_COOKIE['Key_my_site'];
    $check mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error()); 
    Same goes with the submission from the form.

    Anything that goes to a database from the client (whether it from forms or cookies) should be striped. So, first step is to run against a stripslashes based function (writing on the fly so hopefully it will work :P)
    PHP Code:
    if (magic_quotes_gpc())
    {
        function 
    recurseStrip(&$strip)
        {
            if (
    is_array($strip))
            {
                
    // Don't care otherwise:
                
    foreach ($strip AS $key => &$val)
                {
                    if (
    is_array($val))
                    {
                        
    recurseStrip($val);
                    }
                    else if (
    is_string($val))
                    {
                        
    $val stripslashes($val);
                    }
                }
            }
            else if (
    is_string($strip))
            {
                
    $strip stripslashes($strip);
            }
        }
        
    recurseStrip($_GET);
        
    recurseStrip($_POST);
        
    recurseStrip($_COOKIE);
        
    // Bleh, cookies don't make any sense in here to me:
        
    $_REQUEST array_merge($_GET$_POST);
        
    set_magic_quotes_runtime(0);

    Hmm, hold on will that work......... yeah, it looks ok. Files are a special case BTW and require a different type of stripping.
    Next step - Strip your mysql data. Mysql object (mysqlI as well) have an easy tool: mysql_real_escape_string. Run it against any input. If the input contains escaping characters (', \, etc), the recursive stripslashes should remove them and force you to do your own. But at least this way you know that the servers will support it.
    You may need to look up some of the functions (magic quotes to be more precise), since I did this on the fly I'm not 100% certain that I spelled them out correctly lol.

    Hope that helps you out some! Oh, if that code doesn't work, get back I'll dig up the code I use which does work.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

  • Users who have thanked Fou-Lu for this post:

    twodayslate (01-22-2008)

  • #7
    Senior Coder twodayslate's Avatar
    Join Date
    Mar 2007
    Location
    VA
    Posts
    1,042
    Thanks
    67
    Thanked 39 Times in 39 Posts
    Sorry am a beginner to php. Were does the 2nd code go? Does it go at the bottom of login page 1?

    Thanks!
    Last edited by twodayslate; 01-22-2008 at 02:53 AM.
    twitter | Quality Hosting - $5.95/mo*
    Feel free to PM me!

  • #8
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    No problem mate.
    That code goes somewhere at the top or in a globally included script. The point would be to run the strips before the data in the superglobals are used.
    Remember, test it out first (dump a globals and try with a name like O'Neil) to make sure that it doesn't add the escaping automatically, since I did write it on the fly.
    Oh, if you use it though, make sure you are using mysql_real_escape_string (instead of addslashes) to the data going into the database variables!
    Good luck mate!
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •