Need help with a project that i'm doing

[khazad]

Alright, the project that i need to do is a virtual store, i'm using php and mysql because i have a bit more experience with them, but i'm not an expert, the last time i've programmed something in php was two years ago, so i'm a bit rusty with it. I have to show the first "functional part" (which will be the login) in two weeks, what i've done doesn't work because the code it's all messed up (it's an exercise that my teacher gave us, it didn't had some html tags and we had to make it work with php).

 

Since i have a short time and even if i start from scratch i wont finish it in time i was thinking on using squarespace but i don't know how it works, is it more like a php code generator or the site doesn't have to do anything with programming? i just "draw" how i want it to be and that's it?

[samcool55]

What about using a framework? Makes it much easier, i'm not going to say i did it succesfully but i did get a login system working with CodeIgniter. It was botched together like hell but it did work...

[khazad]

4 minutes ago, samcool55 said:

What about using a framework? Makes it much easier, i'm not going to say i did it succesfully but i did get a login system working with CodeIgniter. It was botched together like hell but it did work...

I don't know what that is or how it works but i'll take a look, but for what i've read i think it'll be useful thanks!

[leodaniel]

7 minutes ago, khazad said:

I don't know what that is or how it works but i'll take a look, but for what i've read i think it'll be useful thanks!

I personally would recommend you to take a look at a framework like laravel... (my personal favorite)

It ships with a working user system, router, security features, a service container... But it requires some PHP-Skills, understanding of concepts... take a look, maybe it is what you need

 

I have several Online Shops running on Laravel 5 in production, which work great... 

[Nuluvius]

2 hours ago, samcool55 said:

What about using a framework?

1 hour ago, leodaniel said:

I personally would recommend you to take a look at a framework

I'd also recommend that you do the same. Find yourself a good framework that you're happy with and follow best practices and good engineering principals. The time that you spend on research upfront will save you from hell later on if you just botch it all together and hope for the best.

[Lumi]

On 10/4/2017 at 11:49 AM, khazad said:

Alright, the project that i need to do is a virtual store, i'm using php and mysql because i have a bit more experience with them, but i'm not an expert, the last time i've programmed something in php was two years ago, so i'm a bit rusty with it. I have to show the first "functional part" (which will be the login) in two weeks, what i've done doesn't work because the code it's all messed up (it's an exercise that my teacher gave us, it didn't had some html tags and we had to make it work with php).

 

Since i have a short time and even if i start from scratch i wont finish it in time i was thinking on using squarespace but i don't know how it works, is it more like a php code generator or the site doesn't have to do anything with programming? i just "draw" how i want it to be and that's it?

2 weeks to make a login / register script from scratch?

That's literally 10 minutes.

 

I posted a functional one a LONG time ago that uses procedural code. It's safe for local dev but not really up to standard.

 

[khazad]

5 hours ago, Lumi said:

2 weeks to make a login / register script from scratch?

That's literally 10 minutes.

 

I posted a functional one a LONG time ago that uses procedural code. It's safe but not really up to standard.

 

Thanks! i'll take a look.

 

Like i've said i haven't done anything with programming in like 2 years, so i forgot almost everything, basically i'm back to square one.

[leodaniel]

10 hours ago, Lumi said:

2 weeks to make a login / register script from scratch?

That's literally 10 minutes.

 

I posted a functional one a LONG time ago that uses procedural code. It's safe but not really up to standard.

I totally disagree, a good login/register implementation is not done in 10 minutes if you do it from scratch. Just no way or you are just creating a really bad implementation with tons of security issues! The mentioned resource is in no way safe! It's not maintainable, poorly readable and has some serious security flaws like using unsalted sha512!

There is so much to consider for a save login system and the resource you mention is not only outdated, but impractical and should never be used in a production environment!

 

Take some good implementations (recent ones) as a foundation for your little project. It's a school project right? So you are basically learning it, learn from the right places and dont look to much at the script mentioned here!

 

Just some Input I would consider:

 

Use password_hash()

Never trust any input (validate input, never correct user input, always reject it)

Always assume the worst scenario

Abstract the Database (use bound parameters for sure)

What wasn't tested doesn't work

Use SSL, POST requests (mainly because the data is then not stored in the browsers history!)

 

 

 

[Lumi]

13 hours ago, leodaniel said:

I totally disagree, a good login/register implementation is not done in 10 minutes if you do it from scratch. Just no way or you are just creating a really bad implementation with tons of security issues! The mentioned resource is in no way safe! It's not maintainable, poorly readable and has some serious security flaws like using unsalted sha512!

There is so much to consider for a save login system and the resource you mention is not only outdated, but impractical and should never be used in a production environment!

 

Take some good implementations (recent ones) as a foundation for your little project. It's a school project right? So you are basically learning it, learn from the right places and dont look to much at the script mentioned here!

 

Just some Input I would consider:

 

Use password_hash()

Never trust any input (validate input, never correct user input, always reject it)

Always assume the worst scenario

Abstract the Database (use bound parameters for sure)

What wasn't tested doesn't work

Use SSL, POST requests (mainly because the data is then not stored in the browsers history!)

 

 

 

 

On 10/4/2017 at 6:24 PM, Lumi said:

It's safe but not really up to standard.

I don't think you write a lot of PHP.

A good secure login / register script should take you no more than 10 minutes to write/

[leodaniel]

10 hours ago, Lumi said:

A good secure login / register script should take you no more than 10 minutes to write/

Okey if for you the script above is good and secure then I agree, this takes kind of 5 min and it really looks like it did not take any longer. I won't really argue, if you think that this is good and secure, because its neither of them! It may work, yes, but should never be used! Never! 

10 hours ago, Lumi said:

I don't think you write a lot of PHP.

Actually I do it successfully for a living alongside my studies

[Cruorzy]

@Lumi script isn't safe, it lacks security features. It might be fine for internal use where you can expect no one to abuse the system. Hanging this widely open to the internet is UNSAFE.

 

@leodaniel is completely right when it comes to laravel IMO.

 

Using a framework is really something to consider with lack of time, it speeds up development and makes sure your application is safe, but you to follow the framework rules!

 

Since you don't have much time squarespace might not be a bad option. Watch some videos about it and see how far it takes you.

 

But i would advise to dive back into PHP one you have more time, there might be a time that you have to create something that squarespace does not offer.

 

But learning about web security, clean code, maintenance etc.

[vorticalbox]

On ‎05‎/‎10‎/‎2017 at 10:32 AM, leodaniel said:

I totally disagree, a good login/register implementation is not done in 10 minutes if you do it from scratch. Just no way or you are just creating a really bad implementation with tons of security issues! The mentioned resource is in no way safe! It's not maintainable, poorly readable and has some serious security flaws like using unsalted sha512!

using pdo wrapped in an class and php 7 hashing, which salts. you can easily do it in ten min. In fact I have the code saved so the longest part is setting up the database tables.

 

just because something is done quickly doesn't mean its neither good or secure because it can be. 

 

I didn't look at the code provided so I will take you remarks as such. 

[leodaniel]

11 minutes ago, vorticalbox said:

using pdo wrapped in an class and php 7 hashing, which salts. you can easily do it in ten min. In fact I have the code saved so the longest part is setting up the database tables.

I kind of agree with you, i just don't think you can do it in 10 min from scratch... I understand it as such, that he meant with nothing... and then I don't think you can do it in 10 min. If you want to do it clean, it takes some time... and yes it is a repetitive task and most people have their code saved and it's reused (or they use a framework)

In my opinion a Login system has to come with session fixation, bruteforce protection, xsrf protection, (maybe remember me token)... it just takes a lot of time if you do it from scratch... yes maybe what I though of was not the same that was meant...

 

11 minutes ago, vorticalbox said:

just because something is done quickly doesn't mean its neither good or secure because it can be. 

I agree, maybe take a look at the provided code and you will change your opinion  

[Lumi]

14 hours ago, leodaniel said:

Okey if for you the script above is good and secure then I agree, this takes kind of 5 min and it really looks like it did not take any longer. I won't really argue, if you think that this is good and secure, because its neither of them! It may work, yes, but should never be used! Never! 

Actually I do it successfully for a living alongside my studies

You clearly keep skipping over what I stated about it.

From an objective standpoint with no external considertion's it IS safe. There is no vulnerability within it (unless you're counting password hashing *2) as all inputs are sanitized.

However I did state and I'll quote it once more,

On 10/5/2017 at 6:49 PM, Lumi said:

but not really up to standard.

 

Also, you can write a bullet proof login / register system from scratch with no wrappers etc in 10 minutes. It's literally 2 PDO prepared statements & bcrypt.

 

 

*2 not even an issue unless you leave other vulns cause hows the DB going to get leaked.

 

Also let's be real the kid is doing it for school, do you think a teacher is going to care?

[Cruorzy]

Can we write a login and register system in less than 10 minutes sure..

 

Is it good or can you even call it decent. NO.

 

Like @leodaniel said it is way more than setting up your tables call a session start with a few inputs and pdo statements.

 

@Lumi don't call it bullet proof.. it simply isn't.

 

This is why systems still get intruders, they read stuff about 10 minutes bullet proof etc. Even if he is only using this for a school project you can point them to web security 101 rules.

 

IMO it is quite basic for a script to have brute force protection / CSRF / XRSF etc.

 

If you think this is bullet proof

49 minutes ago, Lumi said:

you can write a bullet proof login / register system from scratch with no wrappers etc in 10 minutes. It's literally 2 PDO prepared statements & bcrypt

Then read the hell up on security before you start coding again.

[Lumi]

31 minutes ago, Cruorzy said:

Then read the hell up on security before you start coding again.

Direct examples, come on.

I can write one in less than 10.

 

[Lumi]

30 minutes ago, Cruorzy said:

Then read the hell up on security before you start coding again.

Direct examples, come on.

I can write one in less than 10.

[leodaniel]

<?php

if ($password == $row['password']): //is the password submitted equal to the password stored in the db?
         $ip = @$_SERVER['HTTP_X_FORWARDED_FOR']; //assign to variable because of encapsulated quotes are annoying. 
         $updateip = mysqli_query($db, "UPDATE `users` SET ip='$ip' WHERE email='$email'"); //update ip on login
         $_SESSION['email'] = $email; //set session email

@Lumi As it happend to be HTTP_X_FORWARDED_FOR is easy to spoof / can be set by the client! Setting an X-Forwarded-For http header gives me an SQL injection!

This is the problem when you don't use any wrapper / pdo and think you can think of everything in 10 minutes! 

 

There is no error handling in your script, it's unreadable, its a mess, can't be maintained... weak type comparisons, notice/warning suppression, no type checking for input (PHP casts array from your input, what happens if your email is an array?!?), use of globals, no kind of brute force protection, no CSRF protection, session cookie parameters are not set!, no session id regeneration after successful user level change... just plain bad!

 

 

 

And then you call that bulletproof?!? You are a bit disillusioned IMO! 

 

 

[Cruorzy]

 

15 hours ago, Lumi said:

Direct examples, come on.

I can write one in less than 10.

Im on phone so ill keep it short,  glad you ask, member the fappening 

Quote

but it later turned out that the hackers could have taken advantage of a security issue in the iCloud API which allowed them to make unlimited attempts at guessing victims' passwords.

They point out that a bruteforce was able to have the exact same result. Nudes for everybody.

 

Your bulletproof script don't protect even against this kind of attack. IT IS NOT BULLETPROOF.

 

REALLY, read up on security before you start advising people ever again about this subject! Keep in mind this is only ONE example since im on mobile.

 

People CAN be wrong or overlook things, you are just plainly denying that you are give bad advice.

 

 

YES YOU CAN MAKE A LOGIN AND REGISTER SCRIPT IN 10 MINUTES, Should you? NO take the time to do it the right way!

[Lumi]

On 10/7/2017 at 1:35 AM, leodaniel said:

<?php

if ($password == $row['password']): //is the password submitted equal to the password stored in the db?
         $ip = @$_SERVER['HTTP_X_FORWARDED_FOR']; //assign to variable because of encapsulated quotes are annoying. 
         $updateip = mysqli_query($db, "UPDATE `users` SET ip='$ip' WHERE email='$email'"); //update ip on login
         $_SESSION['email'] = $email; //set session email

@Lumi As it happend to be HTTP_X_FORWARDED_FOR is easy to spoof / can be set by the client! Setting an X-Forwarded-For http header gives me an SQL injection!

This is the problem when you don't use any wrapper / pdo and think you can think of everything in 10 minutes! 

 

There is no error handling in your script, it's unreadable, its a mess, can't be maintained... weak type comparisons, notice/warning suppression, no type checking for input (PHP casts array from your input, what happens if your email is an array?!?), use of globals, no kind of brute force protection, no CSRF protection, session cookie parameters are not set!, no session id regeneration after successful user level change... just plain bad!

 

 

 

And then you call that bulletproof?!? You are a bit disillusioned IMO! 

 

 

Ay you got it

pls quote where i said that one was bulletproof though

 

[leodaniel]

On 10/7/2017 at 1:15 AM, Lumi said:

Also, you can write a bullet proof login / register system from scratch with no wrappers etc in 10 minutes. It's literally 2 PDO prepared statements & bcrypt.

 

6 minutes ago, Lumi said:

ls quote where i said that one was bulletproof though

 

Here you go  it was maybe not directly concerning that script, but it really comes down to the same..

[Cruorzy]

11 hours ago, Lumi said:

Ay you got it

pls quote where i said that one was bulletproof though

 

With your outdated script you pretty much only have your bullet proof script, if you replaced the stuff with PDO prepared statements.

On 7-10-2017 at 1:15 AM, Lumi said:

Also, you can write a bullet proof login / register system from scratch with no wrappers etc in 10 minutes. It's literally 2 PDO prepared statements & bcrypt.

You don't consider calling other security risks, probably because you aren't aware of them?

Then don't be ignorant and learn about them. Or maybe you are some sort of God and you think those checks aren't necessary and ONLY you can be right?

 

Anyways it is really bad advice you are giving here to newcomers, personally I hope you stay away from security topics. But I am afraid i'm only going to encounter your bad advice more as a troll.

 

Maybe it is time to make a new script? to actually help people instead leaving such a post with garbage code behind?

And I am not talking about how the code looks and is structured, you can name your variables $cat and $pig.

 

I have given my input trying to change your mind, but we can see why u did not go to college probably to ignorant for it.

[Nuluvius]

[LtStaffel]

18 hours ago, Lumi said:

Ay you got it

pls quote where i said that one was bulletproof though

 

 

18 hours ago, leodaniel said:

 

 

Here you go  it was maybe not directly concerning that script, but it really comes down to the same..

 

7 hours ago, Cruorzy said:

With your outdated script you pretty much only have your bullet proof script, if you replaced the stuff with PDO prepared statements.

You don't consider calling other security risks, probably because you aren't aware of them?

Then don't be ignorant and learn about them. Or maybe you are some sort of God and you think those checks aren't necessary and ONLY you can be right?

 

Anyways it is really bad advice you are giving here to newcomers, personally I hope you stay away from security topics. But I am afraid i'm only going to encounter your bad advice more as a troll.

 

Maybe it is time to make a new script? to actually help people instead leaving such a post with garbage code behind?

And I am not talking about how the code looks and is structured, you can name your variables $cat and $pig.

 

I have given my input trying to change your mind, but we can see why u did not go to college probably to ignorant for it.

DevOps simply cannot uphold true security standards, nor do they have the time to write truly secure code. That is why SecOps exists. What good is all of your anti-brute-force and CSRF and XSS and SQLi and LFI and RFI protection systems if you leave login.php.bak sitting in the open available for download? I have a custom tool that has 2.5k guesses at what your backup file is named and if it finds one, you're done. All I have to do is point it at a URL and away it goes, looking for the backup of that file.

 

For academic purposes and speed because he's on a time deal, ignore the security side of it. Security is all or nothing. If you give nothing, then you won't have security. If you give half of what you have, then you won't have security. If you give everything, then you still probably won't be secure. Arguing about this login script is pointless at this stage. If it's hosted academically then it's probably behind an IDS/IPS and is compartmentalized. If it's hosted somewhere else then he doesn't care too much if it gets compromised because he can just roll it back.

 

Stop discussing security and help the guy with useful information about development. The framework suggestions looked genuinely helpful.

[Cruorzy]

1 minute ago, LtStaffel said:

DevOps simply cannot uphold true security standards, nor do they have the time to write truly secure code. That is why SecOps exists. What good is all of your anti-brute-force and CSRF and XSS and SQLi and LFI and RFI protection systems if you leave login.php.bak sitting in the open available for download? I have a custom tool that has 2.5k guesses at what your backup file is named and if it finds one, you're done. For academic purposes and speed because he's on a time deal, ignore the security side of it. Security is all or nothing. If you give nothing, then you won't have security. If you give half of what you have, then you won't have security. If you give everything, then you still probably won't be secure. Arguing about this login script is pointless at this stage. If it's hosted academically then it's probably behind an IDS/IPS and is compartmentalized. If it's hosted somewhere else then he doesn't care too much if it gets compromised because he can just roll it back.

 

Stop discussing security and help the guy with useful information about development. The framework suggestions looked genuinely helpful.

Totally true however the last posts was aimed at Lumi, it should be pretty normal to try to educate a guy when he is clearly in the wrong.

Not every post inside a topic must be aimed towards the creator of the Topic.

 

The guy who created the topic is already going on since he already made a new topic concerning a problem he had while learning of a youtube video.