Thread: [RESOLVED] PHP Logon Security

I did some quick searching and found some stuff about logon security in PHP but nothing was direct enough for this question. Using PHP, what are some recommened ways to make sure your pages are only access by someone who logged in correctly?

I am currently using MySQL which has a table named "users" and it contains their logon names, proper names, and encrypted passwords.

Right now I have every page include login.php as one of the very first lines. If the user is logged in then they will see no ouput from login.php. If they are not then it displays the login form and terminates loading anything further.

The user inputs their login name and password and then I run this query

PHP Code:

$query='SELECT * from users
       WHERE username="'.$username.'" AND password=password("'.$password.'")';
$sqlresult=mysql_query($query) or die(mysql_error());
$rowcount=mysql_num_rows($sqlresult); 


As far as I can tell, I should only get 1 row if the user successfully loggedin and Zero rows if they did not. I then proceed to set a SESSION variable like below. Then every page checks to see if that SESSION variable is set before it loads any of the page.

PHP Code:

$_SESSION['valid_user'] = $row['FullName']; 


Now I understand that there are probably many levels of security, everything ranging from no security, to light security, to your Pentagon (multi-billion dollar budget) security. My web app runs on a private Intranet of less than 150 people and only 4 people know it exists and have access to it. So I don't think I need heavy duty security. But I'm just not certain if this is good enough.

Well I am uncertain about these SESSION variables. Allow me to explain.

I was upgrading and addings lots of features to my intranet app but I didn't want to effect the one in production, so I made a copy of it on the web server. So on my web server I had
http://intranet/app1 (live)
http://intranet/app2 (under development)

I noticed that if I logged into one then I didn't have to log into the other. And likewise, if I logged out of one then they both would ask me to login. The SESSION variables were shared between these two apps. This is what brought me to my concerns about its security. Shouldn't each web app maintain its own set of SESSION variables?

What I do is store a user object as a session item.. that way there are separate objects for each session login..

PHP Code:


if (!isset($_SESSION['userData']))
    header("Location: login.php");

$user = $_SESSION['userData'];
// userleves and such
if ($user->UserLevel == $ADMIN)
    // do something 


chem

Hmm, okay. I'll look into that Penegate. Thanks.

Going back to your previous recommendation about using mysql_real_escape_string. I am only using that command in a couple key places but it makes sense to use it everywhere that I enter data into the MySQL database.

Originally Posted by penagate

... Always make sure that you use mysql_real_escape_string to escape variables before inserting them into SQL queries, otherwise certain characters will cause your query to break (which is a SQL injection vulnerability, too, but I wouldn't worry about those on an intranet). ...

A quick question about this. Did you mean that it is best to use the mysql_real_escape_string on the whole query string or just the variables being inserted into the query string?

For example, this uses it on the variable being inserted into the query.

PHP Code:

$newtext=mysql_real_escape_string($newtext);
$query='INSERT INTO table SET field="'.$newtext.'"';
mysql_query($query) or die(mysql_error()); 


And this example uses it on the whole query string.

PHP Code:

$query='INSERT INTO table SET field="'.$newtext.'"';
$query=mysql_real_escape_string($query);
mysql_query($query) or die(mysql_error()); 


That's what I was afraid of. Thanks.