User auth and ID questions

[vedran]

Hi,
I'm making a simple cms for my web, but I'm not really good at sql and php, I have few questions regarding user authentication and user_id

I've made quite simple mysql db:

Code:

CREATE TABLE `rebus_users` (
`user_id` MEDIUMINT( 8 ) UNSIGNED NOT NULL ,
`username` VARCHAR( 255 ) NOT NULL ,
`password` VARCHAR( 40 ) NOT NULL ,
`email` VARCHAR( 100 ) NOT NULL ,
`group_id` MEDIUMINT( 8 ) UNSIGNED NOT NULL
)

What I want to do is add user login panel so the users can login. Questions is, once the user is logged in, how can I make session id be saved, using php of course ?

[chili5]

Check if the user is logged in correctly, then then create a SESSION variable only if the login is successful.

PHP Code:

<?php
// connect to database
$sql = "SELECT * FROM users WHERE username='$_POST[username]' AND password='$_POST[password]'";
$result = mysql_query($sql);
while ($row = mysql_fetch_array($result)) {
if ($_POST['username'] == $row['username'] && $_POST['password'] == $row['password']) {
// the user is valid, create the session id here
} else {
// the user isn't valid. show error messages and ask them to login again.
}
}
?>

I haven't played with sessions much but you would use $_SESSI0N['id'] to create the session variable and then assign whatever value to it you wish.

[vedran]

Thanx, but I have another problem now. I have used MD5 on the password table, and now I can't log in using my password. How can I fix this one?, here is my login form:

PHP Code:


<?php include('config.php'); ?>
<html>
<head>
<title>Testing Rebus CMS</title>
</head>
<body>

<?php
session_start();

$errorMessage = '';
if (isset($_POST['username']) && isset($_POST['password'])) {
    
    $userid   = $_POST['username'];
    $password = $_POST['password'];
    
    $sql = "SELECT username 
        FROM rebus_users
            WHERE username = '$userid' AND password = PASSWORD('$password')";
    
    $result = mysql_query($sql) or die('Query failed. ' . mysql_error()); 
    
    if (mysql_num_rows($result) == 1) {
        $_SESSION['db_is_logged_in'] = true;
        
        header('Location: main.php');
        exit;
    } else {
        $errorMessage = 'Sorry, wrong username or password';
    }
}
?>

<?php
if ($errorMessage != '') {
?>
<p align="center"><strong><font color="#990000"><?php echo $errorMessage; ?></font></strong></p>
<?php
}
?>
<form action="" method="post">
 <table width="400" border="1" align="center" cellpadding="2" cellspacing="2">
  <tr>
   <td width="150">User Id</td>
   <td><input name="username" type="text" id="username"></td>
  </tr>
  <tr>
   <td width="150">Password</td>
   <td><input name="password" type="password" id="password"></td>
  </tr>
  <tr>
   <td width="150">&nbsp;</td>
   <td><input type="submit" value="Login"></td>
  </tr>
 </table>
</form>

</body>
</html>

also I'm getting this message on the site:

Code:

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/omeragic/public_html/rebus/index.php:8) in /home/omeragic/public_html/rebus/index.php on line 9

What does that mean?

[John]

PASSWORD( ) does not generate an md5 hash. You can either use the SQL MD5() or php's built in md5(). You should also know, your code is extremely easy to hack.

[vedran]

Quote:

Originally Posted by John

PASSWORD( ) does not generate an md5 hash. You can either use the SQL MD5() or php's built in md5(). You should also know, your code is extremely easy to hack.

I used mysql to generate an md5 hash. What do you mean extremly easy to hack? could you be more specific? Is there a better way for user authentication and registration?

[morefood2001]

Quote:

Originally Posted by vedran

PHP Code:


    $userid   = $_POST['username'];
    $password = $_POST['password'];
    
    $sql = "SELECT username 
        FROM rebus_users
            WHERE username = '$userid' AND password = PASSWORD('$password')"; 


Your code is hackable by an SQL Injection Here. You take the posted username and without any verification, put it directly into an sql query. So if I made my username ";DELETE *" (not the valid sql delete to delete all, but thats the idea), it will run your query, break, then run the delete query and erase your entire table.

I'm sure there are other problems, but I didn't look all that hard

[vedran]

thanx for telling me that, but how can I prevent that? what are possible solutions and how to protect myself from sql ijections

[morefood2001]

The easiest way to protect yourself from an sql injection is with mysql_real_escape_string($username).

John wrote a great security tutorial on other tips / tricks at: PHP Sql Injections

[vedran]

wow thanx a lot and thanx John for this article.
Now the only problem is, how do I fix this md5 hash problem?

[morefood2001]

PHP has an md5 function. So simply use md5() instead of PASSWORD().