• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Login Controller/Model

#1
[eluser]wiredesignz[/eluser]
Session library must be autoloaded.

Code:
<?php if (!defined('BASEPATH')) exit('No direct script access allowed');

class Login extends Controller {

    function Login()
    {
        parent::Controller();
        $this->load->model('security');
    }
    
    function index()
    {
        if ($_POST)
        {
            $attempt->username = $this->input->post('username', TRUE); //use XSS filter
            $attempt->password = md5($this->input->post('password', TRUE)); //hash the password
            
            if ($this->security->try_login($attempt))
            {        
                redirect('home');
            }
        }
        
        $data = array(
            'username' => '',
            'password' => '',
            'message' => 'Enter your Username & Password to continue'
        );
        
        $this->load->view('login', $data);
    }
}
?>

Code:
<?php  if (!defined('BASEPATH')) exit('No direct script access allowed');

class Security extends Model {
    
    function Security()
    {
        parent::Model();
    }
    
    function current_user()
    {
        $user = $this->session->userdata('user');
        
        //check if current user detail is not changed/deleted
        if ($this->try_login($user))
        {
            return $this->session->userdata('user');
        }
    }
    
    function try_login($attempt)
    {
        if ($attempt->password)    
        {
            //prevent SQL injection in username
            $attempt->username = $this->db->escape($attempt->username);

            //find username
            $query = $this->db->query("SELECT * FROM `users` WHERE `username` = {$attempt->username}");
            $user = $query->row();
            
            //check password & create user object in session if ok
            if ($user->password == $attempt->password)    
            {
                $user->category = strToLower($user->category); //user role
                $this->session->set_userdata('user', $user);
                return TRUE;
            }
        }
        
        //otherwise bail
        $this->session->sess_destroy();
        redirect('login');
    }
}
?>

Code:
<?php if (!defined('BASEPATH')) exit('No direct script access allowed');

class Home extends Controller {

    function Home()
    {
        parent::Controller();
        $this->load->model('security');
     }
    
    function index()
    {        
        $user = $this->security->current_user();

Any thoughts?

#2
[eluser]Michael Wales[/eluser]
You are storing passwords in plain-text. :bug:

#3
[eluser]wiredesignz[/eluser]
Nice catch.

Yes I am, what are the potential problems?

#4
[eluser]tonanbarbarian[/eluser]
You should always store passwords hashed
either md5 or some other function like sha1

If the password is stored in plain text then any SQL injection attack could be used to retrieve the password if you are not careful.

Also you might want to salt the password before you store it, and check it. Salting also helps with other exploits.
Some hackers will use an SQL injection attack to get the password hash, and then they will use online tools to see if they can determine a valid password that matches the hash, or they will try a brute force system to look for valid plain text that matches the hash.

If you are not aware there could theoretically be multiple strings that match any given hash.
The MD5 hash of the letter 'a' => 0cc175b9c0f1b6a831c399e269772661 could also be the same hash as the entire works of Willian Shakespear. It probably isnt but it is possible.

To salt the password you have a config option that is the salt string.
You then add the salt to the plain text before you encrypt
i.e.

$hash = md5($this->config->item('password_salt').$password);

#5
[eluser]wiredesignz[/eluser]
Thanks. I've added MD5 hashing to the login controller and database.

Code:
$attempt->password = md5($this->input->post('password', TRUE)); //hash the password

#6
[eluser]eedfwChris[/eluser]
[quote author="tonanbarbarian" date="1196261609"]To salt the password you have a config option that is the salt string.
You then add the salt to the plain text before you encrypt
i.e.

$hash = md5($this->config->item('password_salt').$password);[/quote]

I think he missed your salt addition...

It is highly recommended that you also add a "SALT" (see Salt) to your password (or even md5 string) otherwise the password could easily be cracked using Rainbow tables (see Rainbow Tables). Storing JUST a md5 (or sha1) only slightly makes cracking more difficult.

Adding a "SALT" usually renders a rainbow table useless.

#7
[eluser]eedfwChris[/eluser]
That's lame the forums strip brackets in URLs and then don't allow ) (? search for "Salt Cryptography" on wikipedia..

#8
[eluser]wiredesignz[/eluser]
Thanks. I did see it. Will do some research.

#9
[eluser]Michael Wales[/eluser]
I made a post in these forums about using Salts as well - just do a search for 'security salt' - should come up that way.

#10
[eluser]Senso[/eluser]
You're storing the whole 'users' row in the cookie? That's probably not a good idea.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.