View Full Version : Is this easy to crack?

01-21-2008, 11:36 PM

I always thought that this is not a good way to password protect a site but it seams like this is popular.

Any links to alternatives?

01-21-2008, 11:41 PM
Hi, this is crackable only if someone has access to your source code (ie. ftp access), otherwise it's not possible to view the data.

01-21-2008, 11:43 PM
OK thanks.

Everytime I access the page though I have to retype the password. Is there one out there that has a cookie or something so it remembers you?

01-21-2008, 11:44 PM
First of all you'll need to look at how limiting that script is. That will only work for password protecting one page, and in addition to that, every time you refresh the page, you'll need to resend the POST data, or you will be "logged out."

If you are looking to password protect anything of real value, or multiple pages, or if you need login logging, mutiple users, login time outs, etc. etc. etc. this is not the way to go.

This is some what secure for the average 14 year old "hacker" but it can easily be brute forced, and without tracking, you would never know it.

Find something else.

01-22-2008, 12:16 AM
This easy to break in?

01-22-2008, 01:43 AM
PHP_SELF is susceptible to XSS, you should change it to something more like SCRIPT_NAME instead.
Cookies are client side and your script will allow them to inject your SQL on the first block of the code - don't trust that magic quotes GPC is enabled:

// Connects to your Database
mysql_connect("your.hostaddress.com", "username", "password") or die(mysql_error());
mysql_select_db("Database_Name") or die(mysql_error());

//Checks if there is a login cookie

//if there is, it logs you in and directes you to the members page
$username = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());

Same goes with the submission from the form.

Anything that goes to a database from the client (whether it from forms or cookies) should be striped. So, first step is to run against a stripslashes based function (writing on the fly so hopefully it will work :P)

if (magic_quotes_gpc())
function recurseStrip(&$strip)
if (is_array($strip))
// Don't care otherwise:
foreach ($strip AS $key => &$val)
if (is_array($val))
else if (is_string($val))
$val = stripslashes($val);
else if (is_string($strip))
$strip = stripslashes($strip);
// Bleh, cookies don't make any sense in here to me:
$_REQUEST = array_merge($_GET, $_POST);

Hmm, hold on will that work......... yeah, it looks ok. Files are a special case BTW and require a different type of stripping.
Next step - Strip your mysql data. Mysql object (mysqlI as well) have an easy tool: mysql_real_escape_string. Run it against any input. If the input contains escaping characters (', \, etc), the recursive stripslashes should remove them and force you to do your own. But at least this way you know that the servers will support it.
You may need to look up some of the functions (magic quotes to be more precise), since I did this on the fly I'm not 100% certain that I spelled them out correctly lol.

Hope that helps you out some! Oh, if that code doesn't work, get back I'll dig up the code I use which does work.

01-22-2008, 01:51 AM
Sorry am a beginner to php. Were does the 2nd code go? Does it go at the bottom of login page 1 (http://php.about.com/od/finishedphp1/ss/php_login_code_4.htm)?


01-22-2008, 01:53 AM
No problem mate.
That code goes somewhere at the top or in a globally included script. The point would be to run the strips before the data in the superglobals are used.
Remember, test it out first (dump a globals and try with a name like O'Neil) to make sure that it doesn't add the escaping automatically, since I did write it on the fly.
Oh, if you use it though, make sure you are using mysql_real_escape_string (instead of addslashes) to the data going into the database variables!
Good luck mate! :thumbsup: