Odd PHP Login
May 1, 2007 – 3:33 pmOk, so today going through a bit of a backlog off reading from the RSS feeds I monitor and I found this on Darknet.
Now just to cover this traditionally, most of the time someone handles a login when they query a backend DB they do something like
$password = $_REQUEST["password"];
$username = $_REQUEST["username"];
$handle = mysql_connect(”", “”, “”);
$build = “SELECT username FROM logins WHERE username=’” .$username. “‘;
$query = mysql_query($build, $handle);
while($fetch=mysql_fetch_array($query)) {
if($fetch[0]!=$password) {
// Error
}
else {
// Login..
}
}
Now without proper input validation you can probably do nasty things to the backend SQL DB there..
The posting presented this as a possible handy alternative to the problem of injection attacks..
$passwd = $_REQUEST["passwd"];
$uname = $_REQUEST["username"];
$handle = mysql_connect(”", “”, “”);
$build = “SELECT uname FROM usr WHERE passwd=’” .md5($passwd). “‘;
$query = mysql_query($build, $handle);
while($fetch=mysql_fetch_array($query)) {
if($fetch[0]!=$uname) {
header(”Location: somewhere”);
}
else {
…set a weird cookie…
}
}
Interesting, reverse the checks, but this assumes that your not putting a clear text password in your user database.. Funnily this made me think, I’ve seen all to often web apps that do just that.
Anyways, back to my train of thought, how about instead of dropping the username in the DB why not do a Hash just like your supposed to do for a password. After all why do we need the username in clear text, most forums, portals and the like allow the user to set a ‘Friendly’ name that is shown to the public. So why not hide the username from the administrator view and in the event that DB is compromised the attacker would need to brute force both the username and the password to get valid login information.
