hoo2/InformationSystemsSecurity
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix plain text in user authendication.

Browse Source
This commit is contained in:
Christos Choutouridis 2026-01-11 18:38:08 +02:00
parent 57cc2c3fa0
commit c06e1bd64b
2 changed files with 29 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
passman-dev/db/init/01-create-pwd_mgr-db-withData.sql
View File

@ -31,7 +31,7 @@ CREATE TABLE IF NOT EXISTS `login_users` (
) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci; ) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
INSERT INTO `login_users` (`id`, `username`, `password`) VALUES INSERT INTO `login_users` (`id`, `username`, `password`) VALUES
(1, 'u1', 'p1'); (1, 'u1', '$2y$10$L18u5/PyVkDgsce/DsUOQu0sKhTzh854Euhog3cVb1W4YAfgRzY8W'); /* php -r 'echo password_hash("p1", PASSWORD_DEFAULT), PHP_EOL;' */
CREATE TABLE IF NOT EXISTS `notes` ( CREATE TABLE IF NOT EXISTS `notes` (
`notesid` int(11) NOT NULL AUTO_INCREMENT, `notesid` int(11) NOT NULL AUTO_INCREMENT,

51
passman-dev/php/passman/login.php
View File

@ -26,46 +26,51 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
// } // }
require_once __DIR__ . "/config.php"; require_once __DIR__ . "/config.php";
// SQL injection mitigation: use a prepared statement with bound parameters. // Authentication with hashed passwords:
// User input is treated strictly as data, not as part of the SQL syntax. // 1) Fetch the stored hash by username
$stmt = $conn->prepare("SELECT id FROM login_users WHERE username = ? AND password = ?"); // SQL injection mitigation: use a prepared statement with bound parameters.
// User input is treated strictly as data, not as part of the SQL syntax.
// 2) Verify the submitted password with password_verify()
$stmt = $conn->prepare("SELECT id, password FROM login_users WHERE username = ?");
if ($stmt === false) { if ($stmt === false) {
// Fail closed (do not leak details in production). // Fail closed (do not leak details in production).
die("Prepare failed."); die("Prepare failed.");
} }
$stmt->bind_param("ss", $username, $password); $stmt->bind_param("s", $username);
$stmt->execute(); $stmt->execute();
$stmt->store_result(); // Needed to use $stmt->num_rows
$result = $stmt->get_result(); // Requires mysqlnd (usually enabled)
unset($_POST['username']); unset($_POST['username']);
unset($_POST['password']); unset($_POST['password']);
if ($stmt->num_rows >= 1) { if ($result && $result->num_rows === 1) {
// Regenerate session ID to prevent session fixation! $row = $result->fetch_assoc();
//session_regenerate_id(true); $stored_hash = $row["password"];
// Successfully logged in // Verify password against the stored hash.
$_SESSION['username'] = $username; if (password_verify($password, $stored_hash)) {
$_SESSION['loggedin'] = true; // Regenerate session ID to prevent session fixation!
//session_regenerate_id(true);
//while ($row = $result -> fetch_assoc()) { // Successfully logged in
// print_r($row); $_SESSION['username'] = $username;
// $_SESSION['user_id'] = $row['id']; $_SESSION['loggedin'] = true;
//}
// Close $stmt->close();
$stmt->close(); $conn->close();
$conn -> close();
// Redirect to a dashboard page header("Location: dashboard.php");
header("Location: dashboard.php"); exit;
exit; } else {
$login_message = "Invalid username or password";
}
} else { } else {
$login_message = "Invalid username or password"; $login_message = "Invalid username or password";
} }
$stmt->close(); $stmt->close();
$conn -> close(); $conn->close();
} }
} }
?> ?>