PHP security & mail () question.

[HunterCML]

Hello, this is my first ever post, so be patient with me. If this is posted in the wrong section I apologize.

I have just "graduated" from JS (although there's always more to learn/understand) to learning some PHP, and I have a few questions.

I have a log in form in my index.php page that leads to another password validation page (using another page because that's what I'm used to since I used MySQL a lot back in the day, although this might not be the best way to to it). My question is on the security of the thing. How vulnerable is a script like say:

<?php
$username = "myUsername";
$password = "myPassward";
if ($_POST['user'] != $username || $_POST['pass'] != $password) {
echo ('Invalid username or password <a href="http://mywebsite.org/">click here</a> to return to previous page.'); }
else {
header( 'Location: /securepage.php' );
}
?>

And my second question is the one I really want to know about. I want to grab the IP of people attempting login and email it to me. Right now this is what I have, and it doesn't seem to be working. I have this code on the same page as the above script, placed right before it.

<?php
$ip=$_SERVER['REMOTE_ADDR'];
$sendto = "myemail@yahoo.com";
$subject = "Attempted Login";
$message = "IP address is: $ip";
if ($_POST['submit']) {
mail($sendto, $subject, $message);
}
?>

Any suggestions/help appreciated.

[weekend hacker]

At a first glance I'd say the script is vulnerable in the way that you store the password in plaintext, and (more important) that you're not actually doing anything with people who are authenticated. You just send them to securepage.php, but they could just as easily just go to that page and not bother with the login. (if you ware to use a database or output that username or password anywhere there would be additional problems)

The usual way to do this is to set a cookie or use php's built in sessions to mark that user as authenticated.
If you do that, remember that you do not want to store this information at the users end, but instead want to give him a unique id that you can then lookup on the server end to see if he's allowed in or not.

As for the mail part, the default From: header is probably not set in your php.ini
If this is a shared hosting account or you simply don't want to edit php's config to make sure it'll work everywhere you can simply add that header by doing something like

Code: Select all

mail($sendto, $subject, $message, "From: somerandom@email.com\r\n");

This could result in a lot of spam though as every attempt will be an email.

relevant php links:
sessions:
- http://be.php.net/manual/en/book.session.php
- http://be.php.net/manual/en/session.examples.basic.php

database:
- old way (not recommended):
- http://be.php.net/manual/en/function.mysql-real-escape-string.php
- mySQLi way:
- http://be.php.net/manual/en/book.mysqli.php
- http://be.php.net/manual/en/mysqli.quickstart.prepared-statements.php
- PDO way:
- http://be.php.net/manual/en/intro.pdo.php
- http://be.php.net/manual/en/pdo.prepared-statements.php
- http://be.php.net/manual/en/ref.pdo-mysql.php

output to page:
- http://be.php.net/manual/en/function.htmlentities.php

email:
- http://be.php.net/manual/en/function.mail.php

Side note: if you like javascript perhaps you should also check out node.js

[HunterCML]

Really appreciate the help you make a lot of sense. Do you think that by making a PHP session redirect on my secure pages would tighten up security enough for your average noisy individual?

Also for the email script, I tried this instead and it's still not working. Perhaps I need to reconfig some stuff in my hosting settings?

Code: Select all

<?php
$ip=$_SERVER['REMOTE_ADDR'];
$sendTo="myEmail@yahoo.com";
$subject="Attempted Login";
$message="From IP address:".$ip;
$from="random@email.com";
$header="From:".$from;
if ($_POST['submit']) {
mail ($sendTO, $subject, $message, $header);
}
?>


[weekend hacker]

in the header I think you need the "\r\n" part, basically a carriage return and a newline which is how those headers are separated(remember this if you ever want to hack a "contact us" form..)
so its

Code: Select all

$header="From:".$from."\r\n";

as for the session, you'll want to give them a session when they log in and set a value in it like "$login=true"
and then on your secure page you'll lookup their session and check if $login==true

example:

Code: Select all

<?php
session_start();
$username = "myUsername";
$password = "myPassward";
if ($_POST['user'] != $username || $_POST['pass'] != $password) {
echo ('Invalid username or password <a href="http://mywebsite.org/">click here</a> to return to previous page.'); }
else {
$_SESSION['login'] = true;
header( 'Location: /securepage.php' );
}
?>

and for your securepage.php

Code: Select all

<?php
session_start();
if ($_SESSION['login'] == true)
{
    echo "your page";
} else {
    echo "you are not suposed to be here.";
}
?>


main things to remember is that session_start() needs to be run on every page that uses them BEFORE anything is sent to the page, if you have a space or a newline before the start of your php tag, things will not work. (this is because the session will need to set a cookie which is done in the headers, if you're already displaying things on the page the headers will already be sent)
Be sure to read those links about sessions I gave you. php.net explains EVERYTHING about the language and I do not have the habit of spoon feeding people.
Consider that site your php manual.

Happy hacking ^^

[HunterCML]

Wow, thanks so much! Really appreciate you helping out a beginner like myself. I'll be sure to look over the links you provided.

Cheers,

- Hunter

-- Tue Sep 11, 2012 3:26 pm --

Anyone who wants to test my very basic security measures (I only do this for knowledge/fun), feel free to try it out.

URL = http://www.testingsite.22web.org

Let me know how weak/strong it is. I printed "Feel free to test security." at the bottom of the page to prove validity, and removed the email IP function from the PHP script (even though I could never get it to work anyway).

[limdis]

Weekend +1