Tackling user logins and failed login attempts
In my earlier programming years, when it came to logins they were... very weak.. very simple.. and at the same time very insecure.
More recently, I have been trying to learn more about PHP security and have been trying to refine my login scripts to be more secure.
With my latest script I am using captcha to help stave off attempted robotic submissions, but since most malicious attempts are more likely to be human all the captcha does is slow them down. To get around someone trying to guess passwords, I started figuring out how to make a strikes system. Not new technology of course, but I am relatively new to "professional" programming and am still figuring some things out.
if($login_attempts >= 5){
header('Location: banned.html');
$ip = $_SERVER['REMOTE_ADDR'];
$query = mysql_query("INSERT INTO banned_ip (userid,ipaddress)
VALUES ('$userid','$ip')");
}else{
The code above was the easiest way I could think of doing it. Pretty much, whenever a user has a failed attempt it adds 1 to their current attempt level. If they hit 5, no matter which page they view it will redirect them to banned.html. This is not a timed ban, a user with access has to remove the ban. It could be easily setup on a cron to be timed, but I didn't want them to be able to get back in without getting ahold of me.
If the user enters the correct login information before the 5 strikes, his/her strikes are wiped out and are allowed into the system.
The next problem I have always ran into is sanitizing user submitted input, at first I would always just use htmlspecialchars() or various other functions found throughout the intenet. Well, those just didn't cut it... The best one I have found so far took quite a bit of digging to find but works great so far!
// Sanitization functions for PHP
// by: Gavin Zuchlinski, Jamie Pratt, Hokkaido
// webpage: http://libox.net
// Last modified: September 27, 2003
///////////////////////////////////////
// Function list:
// sanitize_paranoid_string($string) -- input string, returns string stripped of all non
// alphanumeric
// sanitize_system_string($string) -- input string, returns string stripped of special
// characters
// sanitize_sql_string($string) -- input string, returns string with slashed out quotes
// sanitize_html_string($string) -- input string, returns string with html replacements
// for special characters
// sanitize_int($integer) -- input integer, returns ONLY the integer (no extraneous
// characters
// sanitize_float($float) -- input float, returns ONLY the float (no extraneous
// characters)
// sanitize($input, $flags) -- input any variable, performs sanitization
// functions specified in flags. flags can be bitwise
// combination of PARANOID, SQL, SYSTEM, HTML, INT, FLOAT, LDAP,
// UTF8
///////////////////////////////////////
define("PARANOID", 1);
define("SQL", 2);
define("SYSTEM", 4);
define("HTML", 8);
define("INT", 16);
define("FLOAT", 32);
define("LDAP", 64);
define("UTF8", 128);// internal function for utf8 decoding
// thanks to Jamie Pratt for noticing that PHP's function is a little
// screwy
function my_utf8_decode($string)
{
return strtr($string,
"???????•µ¿¡¬√ƒ≈∆«»… ÀÃÕŒœ–—“”‘’÷ÿŸ⁄€‹›fl‡·‚„‰ÂÊÁËÈÍÎÏÌÓÔÒÚÛÙıˆ¯˘˙˚¸˝ˇ",
"SOZsozYYuAAAAAAACEEEEIIIIDNOOOOOOUUUUYsaaaaaaaceeeeiiiionoooooouuuuyy");
}// paranoid sanitization -- only let the alphanumeric set through
function sanitize_paranoid_string($string, $min='', $max='')
{
$string = preg_replace("/[^a-zA-Z0-9]/", "", $string);
$len = strlen($string);
if((($min != '') && ($len < $min)) || (($max != '') && ($len > $max)))
return FALSE;
return $string;
}// sanitize a string in prep for passing a single argument to system() (or similar)
function sanitize_system_string($string, $min='', $max='')
{
$pattern = '/(;|\||`|>|<|&|^|"|'."\n|\r|'".'|{|}|[|]|\)|\()/i'; // no piping, passing possible environment variables ($),
// seperate commands, nested execution, file redirection,
// background processing, special commands (backspace, etc.), quotes
// newlines, or some other special characters
$string = preg_replace($pattern, '', $string);
$string = '"'.preg_replace('/\$/', '\\\$', $string).'"'; //make sure this is only interpretted as ONE argument
$len = strlen($string);
if((($min != '') && ($len < $min)) || (($max != '') && ($len > $max)))
return FALSE;
return $string;
}// sanitize a string for SQL input (simple slash out quotes and slashes)
function sanitize_sql_string($string, $min='', $max='')
{
$pattern[0] = '/(\\\\)/';
$pattern[1] = "/\"/";
$pattern[2] = "/'/";
$replacement[0] = '\\\\\\';
$replacement[1] = '\"';
$replacement[2] = "\\'";
$len = strlen($string);
if((($min != '') && ($len < $min)) || (($max != '') && ($len > $max)))
return FALSE;
return preg_replace($pattern, $replacement, $string);
}// sanitize a string for SQL input (simple slash out quotes and slashes)
function sanitize_ldap_string($string, $min='', $max='')
{
$pattern = '/(\)|\(|\||&)/';
$len = strlen($string);
if((($min != '') && ($len < $min)) || (($max != '') && ($len > $max)))
return FALSE;
return preg_replace($pattern, '', $string);
}// sanitize a string for HTML (make sure nothing gets interpretted!)
function sanitize_html_string($string)
{
$pattern[0] = '/\&/';
$pattern[1] = '/</';
$pattern[2] = "/>/";
$pattern[3] = '/\n/';
$pattern[4] = '/"/';
$pattern[5] = "/'/";
$pattern[6] = "/%/";
$pattern[7] = '/\(/';
$pattern[8] = '/\)/';
$pattern[9] = '/\+/';
$pattern[10] = '/-/';
$replacement[0] = '&';
$replacement[1] = '<';
$replacement[2] = '>';
$replacement[3] = '<br>';
$replacement[4] = '"';
$replacement[5] = ''';
$replacement[6] = '%';
$replacement[7] = '(';
$replacement[8] = ')';
$replacement[9] = '+';
$replacement[10] = '-';
return preg_replace($pattern, $replacement, $string);
}// make int int!
function sanitize_int($integer, $min='', $max='')
{
$int = intval($integer);
if((($min != '') && ($int < $min)) || (($max != '') && ($int > $max)))
return FALSE;
return $int;
}// make float float!
function sanitize_float($float, $min='', $max='')
{
$float = floatval($float);
if((($min != '') && ($float < $min)) || (($max != '') && ($float > $max)))
return FALSE;
return $float;
}// glue together all the other functions
function sanitize($input, $flags, $min='', $max='')
{
if($flags & UTF8) $input = my_utf8_decode($input);
if($flags & PARANOID) $input = sanitize_paranoid_string($input, $min, $max);
if($flags & INT) $input = sanitize_int($input, $min, $max);
if($flags & FLOAT) $input = sanitize_float($input, $min, $max);
if($flags & HTML) $input = sanitize_html_string($input, $min, $max);
if($flags & SQL) $input = sanitize_sql_string($input, $min, $max);
if($flags & LDAP) $input = sanitize_ldap_string($input, $min, $max);
if($flags & SYSTEM) $input = sanitize_system_string($input, $min, $max);
return $input;
}
The code above appears to work great, with every test i've thrown at it. Of course, I am not a master at PHP security. If anyone out there is, please feel free to let me know just how this function ranks to others. I use the script above to filter just about everything, POST, GET...everything! In fact, I don't even trust my input so I filter it as well!
Encryption, while not the most secure MD5 seems to be still the most popular. I wanted to be different, so in my script I am using a more secure encryption sha1.. unfortunately sha512 ( I think thats what its called ) is not available in php4 :( Once again, if there are any security concious PHP devs reading this, feel free to recommend a better encryption method :)