Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Encrypted Password Protected Area


  • Please log in to reply
11 replies to this topic

#1 KamakaZ

KamakaZ

  • Members
  • 739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Victoria
  • Local time:12:25 AM

Posted 27 January 2009 - 06:16 AM

Hi i have read the sticky about creating password protected areas, which is what i'm wanting to do... only problem is that the password text file is readable by anyone smart enough... is there a way to encrypt it?

I am able to use a sql database is there a way to intergrate it into that maybe?

Any help would be appreciated...

Cheers,

Brad

There's no place like 127.0.0.1
There are 10 types of people in the world, those that can read binary, and those who can't.


BC AdBot (Login to Remove)

 


#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:07:25 AM

Posted 27 January 2009 - 09:01 AM

Yes. SQL has the ability to encrypt the password and store it that way. Assuming that you are using MYSQL:
http://articles.techrepublic.com.com/5100-...11-6124013.html

#3 KamakaZ

KamakaZ
  • Topic Starter

  • Members
  • 739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Victoria
  • Local time:12:25 AM

Posted 27 January 2009 - 04:53 PM

Thanks Groovicus,

I am using mySQL, php 5, apache 2.

That link was most help, however i have next to no idea how to intergrate that into a webpage... I know how to make databases within mySQL, just not how to pull the data from the database, compare it against what was typed into the form and then goto the appropriate page (successful or unsuccessful).

Thanks for a quick reply!

There's no place like 127.0.0.1
There are 10 types of people in the world, those that can read binary, and those who can't.


#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:07:25 AM

Posted 27 January 2009 - 05:24 PM

You don't integrate it into a page. You send the password to a .php handler, the handler sends it to mysql, and mysql encrypts it. Then when a user relogs in, then the password is sent to the php handler, which hands it to mysql, and mysql makes the comparison. If it matches, then it returns a success flag to the php handler. If not, it returns a failure flag to the handler. Depending on the flag, the appropriate web page is sent back to the user.

#5 KamakaZ

KamakaZ
  • Topic Starter

  • Members
  • 739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Victoria
  • Local time:12:25 AM

Posted 27 January 2009 - 05:28 PM

That's what I am looking to do... but i have no idea how to start coding it.

EDIT: Can anyone help with this? I am rather new to php

Edited by KamakaZ, 27 January 2009 - 05:53 PM.

There's no place like 127.0.0.1
There are 10 types of people in the world, those that can read binary, and those who can't.


#6 KamakaZ

KamakaZ
  • Topic Starter

  • Members
  • 739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Victoria
  • Local time:12:25 AM

Posted 28 January 2009 - 05:04 PM

Managed to solve this....

http://php.about.com/od/finishedphp1/ss/php_login_code.htm

Thanks for your help... i would have rathered to write it on my own, but i followed through this and actually understand how it works, not just that it does.

There's no place like 127.0.0.1
There are 10 types of people in the world, those that can read binary, and those who can't.


#7 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:07:25 AM

Posted 28 January 2009 - 10:26 PM

A good coder begs, borrows, and steals whatever it takes to accomplish the job. Why reinvent the wheel?

#8 KamakaZ

KamakaZ
  • Topic Starter

  • Members
  • 739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Victoria
  • Local time:12:25 AM

Posted 29 January 2009 - 05:14 PM

good point...

Before we get started, i know some of the HTML is incorrect, this is just a test, but still no excuse for bad coding.

I have a problem with the login code... it was working fine, but i don't know what i have changed to make it not work...
It displays the following errors when i try to login:

Warning: Cannot modify header information - headers already sent by (output started at C:\xampp2\htdocs\gaming\index.php:3) in C:\xampp2\htdocs\gaming\index.php on line 70

Warning: Cannot modify header information - headers already sent by (output started at C:\xampp2\htdocs\gaming\index.php:3) in C:\xampp2\htdocs\gaming\index.php on line 71

Warning: Cannot modify header information - headers already sent by (output started at C:\xampp2\htdocs\gaming\index.php:3) in C:\xampp2\htdocs\gaming\index.php on line 74

and i have had a error on line 24 of this file.

(i have marked the lines below)



This is the index.php file:
<html>
<head>
<style type="text/css">
body { background-color:orange } 
</style>
</head>

<body>
<?php 
// Connects to your Database 
mysql_connect("localhost", "root", "******") or die(mysql_error()); 
mysql_select_db("users") or die(mysql_error()); 

//Checks if there is a login cookie
if(isset($_COOKIE['ID_my_site']))

//if there is, it logs you in and directes you to the members page
{ 
$username = $_COOKIE['ID_my_site']; 
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());
while($info = mysql_fetch_array( $check )) 
{
if ($pass != $info['password'])  //line 24
{
}
else
{
header("Location: home.php");

}
}
}

//if the login form is submitted
if (isset($_POST['submit'])) { // if form has been submitted

// makes sure they filled it in
if(!$_POST['username'] | !$_POST['pass']) {
die('You did not fill in a required field.');
}
// checks it against the database

if (!get_magic_quotes_gpc()) {
$_POST['email'] = addslashes($_POST['email']);
}
$check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or die(mysql_error());

//Gives error if user dosen't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
die('That user does not exist in our database. <a href=reg.php>Click Here to Register</a>');
}
while($info = mysql_fetch_array( $check )) 
{
$_POST['pass'] = stripslashes($_POST['pass']);
$info['password'] = stripslashes($info['password']);
$_POST['pass'] = md5($_POST['pass']);

//gives error if the password is wrong
if ($_POST['pass'] != $info['password']) {
die('Incorrect password, please try again. <a href="java script:history.go(-1)">Go Back</a>');
}
else 
{ 

// if login is ok then we add a cookie 
$_POST['username'] = stripslashes($_POST['username']); 
$hour = time() + 3600; 
setcookie(ID_my_site, $_POST['username'], $hour);   //line 70
setcookie(Key_my_site, $_POST['pass'], $hour);  //line 71

//then redirect them to the members area 
header("Location: home.php");   //line 74
} 
} 
} 
else 
{ 

// if they are not logged in 
?> 
<!--Logo-->
<br> </br>
 <center>
  <h2>Hosted By:</h2>
  <a href="http://www.forum-indoor.info/"><img src="http://www.forum-indoor.info/wp-content/uploads/2008/12/forum-logo-blue-background-copy.jpg"></a> 
<br> </br>
<br> </br>
 
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"> 
<table border="0"> 
<tr><td colspan=2><h3>Log In:</h3></td></tr> 
<tr><td>Username:</td><td> 
<input type="text" name="username" maxlength="40"> 
</td></tr> 
<tr><td>Password:</td><td> 
<input type="password" name="pass" maxlength="50"> 
</td></tr> 
<tr>
<td colspan="2" align="right"><button style="width: 70px; height: 24px;" onclick="window.location='http://www.forum-indoor.info/gaming/reg.php'">Register</button></td>
<td colspan="2" align="right"> 
<input type="submit" name="submit" value="Login"> 
</td></tr> 
</table> 
</form> 
<br> </br>
<center>
<h5>Cookies must be enabled past this point.</h5>
<h5>Need help registering? Email <a href="mailto:Brad@forum-indoor.info">Brad@forum-indoor.info</a></h5>
 
<?php 
} 

?> 
</body>
</html>

There's no place like 127.0.0.1
There are 10 types of people in the world, those that can read binary, and those who can't.


#9 KamakaZ

KamakaZ
  • Topic Starter

  • Members
  • 739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Victoria
  • Local time:12:25 AM

Posted 29 January 2009 - 06:36 PM

I think i found my problem,

the file is called index.php, yet it opens with a <html> tag. as soon as i removed the <html>, <head> and <body> tags, so now i'm just left with <?php content ?> it all works fine.

I did try to change the extension to index.html but it still displayed a funny error (printed/echoed some of the php script)

i just have to put up with a white background instead of my orange one lol...

There's no place like 127.0.0.1
There are 10 types of people in the world, those that can read binary, and those who can't.


#10 KamakaZ

KamakaZ
  • Topic Starter

  • Members
  • 739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Victoria
  • Local time:12:25 AM

Posted 29 January 2009 - 09:04 PM

i found this was because i had "echoed" the <html> through to </head> tags. And that once something is echoed you can't sned more header information. If i moved that content to make it look like this:

...

setcookie(ID_my_site, $_POST['username'], $hour);   //line 70
setcookie(Key_my_site, $_POST['pass'], $hour);  //line 71
 //then redirect them to the members area 
header("Location: home.php");   //line 74
} 
} 
} 
else 
{ 
// if they are not logged in 
?> 
<html>
<head>
<style type="text/css">
body { background-color:orange } 
</style>
</head>
<!--Logo-->
<br> </br>
<center>
  <h2>Hosted By:</h2>
...

it worked. Thanks for all your help.

Edited by KamakaZ, 29 January 2009 - 09:05 PM.

There's no place like 127.0.0.1
There are 10 types of people in the world, those that can read binary, and those who can't.


#11 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:07:25 AM

Posted 29 January 2009 - 09:21 PM

So far it's been all you. :thumbsup:

#12 KamakaZ

KamakaZ
  • Topic Starter

  • Members
  • 739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Victoria
  • Local time:12:25 AM

Posted 29 January 2009 - 09:48 PM

ah well... atleast we are both learning then... just in case we come across it again sometime

There's no place like 127.0.0.1
There are 10 types of people in the world, those that can read binary, and those who can't.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users