30.06.2013, 08:38
Hey,
This really needs some major changes. I found almost every security vulnerability there could possibly be.
1. Your playertb table does not contain a primary index. You should add field `id`, being unsigned integer with auto increment enabled and used as primary index. After that you should refer to users with their id (in the database), isntead of username for performance reasons.
2. Similarly, username should be set as unique index. It will speed up the time it takes MySQL to find a particular user.
3. You used password[32], which is actually one character too short. The MD5 hash is 32 characters + the end of string character, making it 33. -
4. The query in IsUsernameRegistered fetches more information than necessary. You could just use 'SELECT NULL FROM playerdb...'.
5. A note on your choice of vocabulary: Your hashing the passwords, not encrypting. Encryption is a two way process, hashing is one way (the hash can't be turned back to text)
6. You are using probably the fastest hashing algorithm there is, which is bad when it comes to passwords. This means that the passwords can be relatively easily bruteforced. For reference, here's how quickly a powerful desktop PC can bruteforce MD5 passwords (uppercase, lowercase, numbers):
all 6 character password MD5s 3 seconds
all 7 character password MD5s 4 minutes
all 8 character password MD5s 4 hours
all 9 character password MD5s 10 days
all 10 character password MD5s ~625 days
7. You are not salting the passwords, thus leaving them vulnerable to both dictionary attacks and rainbow tables -- not good.
8. You are not hashing nor escaping user input before formatting the query, leaving your script vulnerable against MySQL injections. Anyone could delete/edit all the records in your table, or even database depending on permissions of the MySQL user.
9. The password is hashed using MySQL's MD5 function. Thus the password is logged in the error logs in plain text if the query fails for any reason.
I'm sorry to say this, but I'd recommend no one to use this script in its current stage. It's just insecure in all ways.
This really needs some major changes. I found almost every security vulnerability there could possibly be.
1. Your playertb table does not contain a primary index. You should add field `id`, being unsigned integer with auto increment enabled and used as primary index. After that you should refer to users with their id (in the database), isntead of username for performance reasons.
2. Similarly, username should be set as unique index. It will speed up the time it takes MySQL to find a particular user.
3. You used password[32], which is actually one character too short. The MD5 hash is 32 characters + the end of string character, making it 33. -
4. The query in IsUsernameRegistered fetches more information than necessary. You could just use 'SELECT NULL FROM playerdb...'.
5. A note on your choice of vocabulary: Your hashing the passwords, not encrypting. Encryption is a two way process, hashing is one way (the hash can't be turned back to text)
6. You are using probably the fastest hashing algorithm there is, which is bad when it comes to passwords. This means that the passwords can be relatively easily bruteforced. For reference, here's how quickly a powerful desktop PC can bruteforce MD5 passwords (uppercase, lowercase, numbers):
all 6 character password MD5s 3 seconds
all 7 character password MD5s 4 minutes
all 8 character password MD5s 4 hours
all 9 character password MD5s 10 days
all 10 character password MD5s ~625 days
7. You are not salting the passwords, thus leaving them vulnerable to both dictionary attacks and rainbow tables -- not good.
8. You are not hashing nor escaping user input before formatting the query, leaving your script vulnerable against MySQL injections. Anyone could delete/edit all the records in your table, or even database depending on permissions of the MySQL user.
9. The password is hashed using MySQL's MD5 function. Thus the password is logged in the error logs in plain text if the query fails for any reason.
Quote:
|
Originally Posted by Y_Less
 Problems
You should have a look at Y_Less's tutorial on how to write a tutorial. For that reason if you write a tutorial you are effectively saying you have knowledge on a subject and are qualified to write about it. |