Log In · Register

 

Help Topic Rules and Requirements

For a list of all requirements and guidelines pertaining to posting a new Help topic, please click here.

This Month's Contests | Staff Member of the Month | Hosts Looking for Hostees | Hostees looking for Hosts | BigBookofResources

Submission Guidelines

 
Reply to this topicStart new topic
PHP Clean Username
Mikeplyts
post Jul 3 2010, 12:29 AM
Post #1


Mel Blanc was allergic to carrots.
*******

Group: Official Designer
Posts: 6,371
Joined: Aug 2008
Member No: 676,291



Alas, another PHP topic. So, I have a login form. It works just like it should, but I realized I should allow clean usernames to be used. A clean username, basically, is an all-lowercase version of the original username (because some people are too lazy to use the shift key where necessary). So:
CODE
<?php
$username = $_POST['username'];
$clean = strtolower($username);
$password = $_POST['password'];
$safe = md5($password);

if (count($_POST) > 0) {
    if (!$username) $error = 'Please fill in your username';
    else if (!$password) $error = 'Please fill in your password';
    else if (!is_valid()) $error = 'It looks like you\'re not a valid user. Try checking your username or password or feel free to <a href="/register/">sign up</a>.';
    else {
        $id = get_id();
        setcookie('user', $username, time() + 31556926, '/');
        setcookie('id', $id, 0, '/');
        header($root . '/account/dashboard/');
    }
}

else $error = '';
?>


is_valid() is in a functions file. I had it set so that it checked the username, password, and hashed password. However, I changed it around so that it'd check the clean username instead.
CODE
<?php
function is_valid() {
    global $clean, $password, $safe;

    if (mysql_num_rows(mysql_query("SELECT ID FROM users WHERE clean_username = '$clean' AND password = '$password' AND safe_password = '$safe'")) > 0) return true;
}
?>


get_id() doesn't really do anything but get the ID from the MySQL database. Anyhow, what I can't understand is why it still generates an error. For example, let's say I have user named User. If I login using User, it works fine. However, if I use user, it generates an error. Now, I'd think that even if user is lowercase, $clean would just generate the same value (user).

Aide?
 
fixtatik
post Jul 3 2010, 06:29 AM
Post #2


Senior Member
******

Group: Member
Posts: 1,237
Joined: May 2008
Member No: 648,123



I wouldn't think you need to have a "clean_username" column at all. MySQL non-binary columns (any column containing text that's not a "blob") are case-insensitive by default (meaning "User", "user" and "uSeR" will all match). Setting a username to lowercase is hardly clean, though; by not cleaning the string (stripping slashes and running it through real_escape_string, or disallowing non-alphanumeric characters completely), you're opening up your database to injection.

It also might be a bit counter-productive having a "password" and "safe_password" column. The idea of storing the md5 hash as a password is so if anyone manages to get into your database, it's impossible for them to see the actual password. Instead, they'd see an md5 hash that typically can't be reverse-engineered. Unless, of course, someone was stupid enough to put in a password like "apple", in which case there are dozens of sites out there that have a database of common md5 hashes.

Anyway, by having "password" and "safe_password", an attacker will still be able to see the "password" column if he manages to get in.

Oh...should note something I discovered the other day. In PHP5, an empty array still counts as "1". So, if $_POST is empty, count($_POST) is still giving you a result of "1". Might be better to just use !empty($_POST), or count($_POST) == 2.
 
Mikeplyts
post Jul 3 2010, 02:27 PM
Post #3


Mel Blanc was allergic to carrots.
*******

Group: Official Designer
Posts: 6,371
Joined: Aug 2008
Member No: 676,291



That was just a basic code of what I was using. I do have the stripslashes() and mysql_real_escape_string() functions set up. Hrm, okay. But, how come it still gives me an error if I try to sign in with user as opposed to User? And yeah, I'll update that whole password business.
 
Uronacid
post Jul 9 2010, 09:02 AM
Post #4


Senior Member
******

Group: Official Member
Posts: 1,574
Joined: Aug 2007
Member No: 555,438



It looks fine to me. If all you're doing is making sure the username is lowercase. I just don't see it nessesary to do.

Also, I agree with fixtik. You're hardly cleaning these things. A malicious user could very easily add code and execute SQL statements.
 
Mikeplyts
post Jul 9 2010, 12:03 PM
Post #5


Mel Blanc was allergic to carrots.
*******

Group: Official Designer
Posts: 6,371
Joined: Aug 2008
Member No: 676,291



QUOTE(Mikeplyts @ Jul 3 2010, 03:27 PM) *
That was just a basic code of what I was using. I do have the stripslashes() and mysql_real_escape_string() functions set up. Hrm, okay. But, how come it still gives me an error if I try to sign in with user as opposed to User? And yeah, I'll update that whole password business.

 

Reply to this topicStart new topic
2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)
0 Members: