Simple login form with cookies

> $sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\'
> and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password
> .'\'))';
>
> I use this solution because md5 run faster in Mysql
>
>
>
>
> --
> Martin Scotta
>

> On Wed, Jul 8, 2009 at 9:48 AM, Martin Scotta<martinscotta@...> wrote:
>> $sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\'
>> and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password
>> .'\'))';
>>
>> I use this solution because md5 run faster in Mysql
>>
>>
>>
>>
>> --
>> Martin Scotta
>>
>
> If you were running a loop to build a rainbow table or brute-force a
> password, I could see where that would matter. For authenticating a
> single user it seems like premature optimization to me. On my
> development machine, where PHP runs slow inside of the IDE, the
> average time to perform an md5 hash on a text string of 38 characters
> (much longer than most passwords) over 10000 iterations is around
> 0.00085 seconds. I can live with that. :-)  I still like handling the
> encryption in PHP and then passing the encrypted value to the database
> for storage/comparison.
>
> Andrew
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

>     First, a reminder to several (including some in this thread) that
> top-posting is against the law here.
>
> On Wed, Jul 8, 2009 at 09:48, Martin Scotta<martinscotta@...> wrote:
>> $sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\'
>> and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password
>> .'\'))';
>
>     Second, another, more important reminder:
>
> <?php
> $username = '" OR 1 OR "';
> ?>
>
>     Since the first rows in a database are usually the default
> administrator logins, the first to match what is basically a 'match if
> this is a row' statement will be logged in.  The moral of the story:
> don't forget to clean your input (which I'm sure ya'all were doing....
> but with top-posters, you never know ;-P).
>

> Daniel Brown wrote:
>>     First, a reminder to several (including some in this thread) that
>> top-posting is against the law here.
>>
>> On Wed, Jul 8, 2009 at 09:48, Martin Scotta<martinscotta@...>
>> wrote:
>>> $sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\'
>>> and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password
>>> .'\'))';
>>
>>     Second, another, more important reminder:
>>
>> <?php
>> $username = '" OR 1 OR "';
>> ?>
>>
>>     Since the first rows in a database are usually the default
>> administrator logins, the first to match what is basically a 'match if
>> this is a row' statement will be logged in.  The moral of the story:
>> don't forget to clean your input (which I'm sure ya'all were doing....
>> but with top-posters, you never know ;-P).
>>
>
> prepared statements really do a pretty good job at neutering sql
> injection. But one shouldn't be lazy with input validation anyway.
>

> Michael A. Peters wrote:
>> Daniel Brown wrote:
>>>     First, a reminder to several (including some in this thread) that
>>> top-posting is against the law here.
>>>
>>> On Wed, Jul 8, 2009 at 09:48, Martin Scotta<martinscotta@...>
>>> wrote:
>>>> $sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\'
>>>> and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password
>>>> .'\'))';
>>>
>>>     Second, another, more important reminder:
>>>
>>> <?php
>>> $username = '" OR 1 OR "';
>>> ?>
>>>
>>>     Since the first rows in a database are usually the default
>>> administrator logins, the first to match what is basically a 'match if
>>> this is a row' statement will be logged in.  The moral of the story:
>>> don't forget to clean your input (which I'm sure ya'all were doing....
>>> but with top-posters, you never know ;-P).
>>>
>>
>> prepared statements really do a pretty good job at neutering sql
>> injection. But one shouldn't be lazy with input validation anyway.
>>
> I have a couple of questions/comments re all this:
>
> 1. Doing the login and processing through https should add a bit more
> security, it seems to me.

> 2. Cleaning is another bloody headache, for me anyway. I have found that
> almost every time I try to do some cleaning with trim and
> mysql_real_escape_string and stripslashes wipes out my usernames and
> passwords. I havent' been able to use them when doing the crypt and
> encrypt stuff with salt. Without cleaning it works fine... so, I'm a bit
> lost on this.
> Specifically, this wipes out my login and password... (I know, this is
> old code, but it is supposed to work, no? )
> //Function to sanitize values received from the form. Prevents SQL injection
>    function clean($str) {
>        $str = @trim($str);
>        if(get_magic_quotes_gpc()) {
>            $str = stripslashes($str);
>        }
>        return mysql_real_escape_string($str);
>    }
>
>    //Sanitize the POST values
>    $login = clean($_POST['login']);
>    $password = clean($_POST['password']);
>
> When I echoes the cleaned $login and $password, they looked like they
> had just gone through an acid bath before being hit by katerina
> (hurricane)... ;-) rather whitewashed and empty. There was nothing left
> to work with.

> On Wed, Jul 8, 2009 at 12:14, Tony Marston<tony@...>
> wrote:
>> No it isn't. That's just your personal preference. Mine is different.
>
>    Uhh.... Tony, if that's in response to me, you're wrong.  Please
> read the rules before posting what you believe to be fact.  ;-P
>
> --
> </Daniel P. Brown>
> daniel.brown@... || danbrown@...
> http://www.parasane.net/ || http://www.pilotpig.net/
> Check out our great hosting and dedicated server deals at
> http://twitter.com/pilotpig 

> On Wed, Jul 8, 2009 at 12:38, Tony Marston<tony@...>
> wrote:
>> What rules? I never agreed to abide by any rules before I started posting
>> to
>> this group. My newsreader assumes top posting by default, so I have been
>> top
>> posting for the past 10 years. If you don't like it then it is your
>> problem,
>> not mine.
>
>    Absolutely 100% completely incorrect, and in all honesty, that's
> quite an ignorant attitude.  That's not to say that I think *you* are
> ignorant, but rather the attitude toward established rules and
> guidelines that have been around long before you began posting, and
> will remain long after you leave.
>
>    See:
>        http://php.net/mailing-lists.php --- which links to:
>            http://php.net/reST/php-src/README.MAILINGLIST_RULES
> (Specifically: "General" #3)
>
>    So while it's my problem, it is also *your* problem, as the offender.
>
>    If you didn't agree to rules beforehand, that's your issue.
> Ignorance is not a defense.  You were - or had the opportunity to be -
> made aware of the rules of the list, and as such, agree to abide by
> them by continuing to post in this - or any - public forum.  Much the
> same as, by traveling to a foreign country, you agree to be bound by
> their rules and regulations.  You cannot simply claim that you did not
> know of a rule.
>
>    And for the record, Gmail assumes top-posting as well.  It takes
> between one and three seconds to align each message properly, which is
> a pain in the butt each time, I agree, but it's something that has to
> be done.  Otherwise, it breaks threads and makes the archives very
> difficult to read --- damning the purpose of even having them there
> for the benefit of others on the Internet.
>
>    For years, we've all adapted to this, because they were the rules,
> and because we respect each other enough in the community to follow
> them.  Here's hoping that you won't be the odd-man-out of that
> respectful group.
>
>    Thanks.
>
> --
> </Daniel P. Brown>
> daniel.brown@... || danbrown@...
> http://www.parasane.net/ || http://www.pilotpig.net/
> Check out our great hosting and dedicated server deals at
> http://twitter.com/pilotpig 

> On Wed, Jul 8, 2009 at 12:38, Tony Marston<tony@...> wrote:
>> What rules? I never agreed to abide by any rules before I started posting to
>> this group. My newsreader assumes top posting by default, so I have been top
>> posting for the past 10 years. If you don't like it then it is your problem,
>> not mine.
>
>    Absolutely 100% completely incorrect, and in all honesty, that's
> quite an ignorant attitude.  That's not to say that I think *you* are
> ignorant, but rather the attitude toward established rules and
> guidelines that have been around long before you began posting, and
> will remain long after you leave.
>
>    See:
>        http://php.net/mailing-lists.php --- which links to:
>            http://php.net/reST/php-src/README.MAILINGLIST_RULES
> (Specifically: "General" #3)
>
>    So while it's my problem, it is also *your* problem, as the offender.
>
>    If you didn't agree to rules beforehand, that's your issue.
> Ignorance is not a defense.  You were - or had the opportunity to be -
> made aware of the rules of the list, and as such, agree to abide by
> them by continuing to post in this - or any - public forum.  Much the
> same as, by traveling to a foreign country, you agree to be bound by
> their rules and regulations.  You cannot simply claim that you did not
> know of a rule.
>
>    And for the record, Gmail assumes top-posting as well.  It takes
> between one and three seconds to align each message properly, which is
> a pain in the butt each time, I agree, but it's something that has to
> be done.  Otherwise, it breaks threads and makes the archives very
> difficult to read --- damning the purpose of even having them there
> for the benefit of others on the Internet.
>
>    For years, we've all adapted to this, because they were the rules,
> and because we respect each other enough in the community to follow
> them.  Here's hoping that you won't be the odd-man-out of that
> respectful group.
>
>    Thanks.
>
> --
> </Daniel P. Brown>
> daniel.brown@... || danbrown@...
> http://www.parasane.net/ || http://www.pilotpig.net/
> Check out our great hosting and dedicated server deals at
> http://twitter.com/pilotpig
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

> On Wed, Jul 8, 2009 at 12:50 PM, Daniel Brown<danbrown@...> wrote:
> > On Wed, Jul 8, 2009 at 12:38, Tony Marston<tony@...> wrote:
> >> What rules? I never agreed to abide by any rules before I started posting to
> >> this group. My newsreader assumes top posting by default, so I have been top
> >> posting for the past 10 years. If you don't like it then it is your problem,
> >> not mine.
> >
> >    Absolutely 100% completely incorrect, and in all honesty, that's
> > quite an ignorant attitude.  That's not to say that I think *you* are
> > ignorant, but rather the attitude toward established rules and
> > guidelines that have been around long before you began posting, and
> > will remain long after you leave.
> >
> >    See:
> >        http://php.net/mailing-lists.php --- which links to:
> >            http://php.net/reST/php-src/README.MAILINGLIST_RULES
> > (Specifically: "General" #3)
> >
> >    So while it's my problem, it is also *your* problem, as the offender.
> >
> >    If you didn't agree to rules beforehand, that's your issue.
> > Ignorance is not a defense.  You were - or had the opportunity to be -
> > made aware of the rules of the list, and as such, agree to abide by
> > them by continuing to post in this - or any - public forum.  Much the
> > same as, by traveling to a foreign country, you agree to be bound by
> > their rules and regulations.  You cannot simply claim that you did not
> > know of a rule.
> >
> >    And for the record, Gmail assumes top-posting as well.  It takes
> > between one and three seconds to align each message properly, which is
> > a pain in the butt each time, I agree, but it's something that has to
> > be done.  Otherwise, it breaks threads and makes the archives very
> > difficult to read --- damning the purpose of even having them there
> > for the benefit of others on the Internet.
> >
> >    For years, we've all adapted to this, because they were the rules,
> > and because we respect each other enough in the community to follow
> > them.  Here's hoping that you won't be the odd-man-out of that
> > respectful group.
> >
> >    Thanks.
> >
> > --
> > </Daniel P. Brown>
> > daniel.brown@... || danbrown@...
> > http://www.parasane.net/ || http://www.pilotpig.net/
> > Check out our great hosting and dedicated server deals at
> > http://twitter.com/pilotpig
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
>
> Gmail on iPhone/iPod touch does the same thing. Fortunately with
> copy'n'paste I can now get it to work thru the email interface. The
> web version of gmail (while nicer looking) is giving me grief in
> moving to the bottom of the message when attempting a reply (hence the
> few replies that are top posted, sorry ;-P )
> --
>
> Bastien
>
> Cat, the other other white meat
>

> On Wed, Jul 8, 2009 at 13:02, Tony Marston<tony@...>
> wrote:
>> I do not regard that as a concrete rule, and certainly not one worth
>> bothering about. Lots of newsgroups I visited before coming here allowed
>> top
>> posting, so it is arrogant for someone to say "I personally don't like
>> top
>> posting, so I'll make a rule that disallows it". A sensible rule, and one
>> which I have no problem in following, is that if a question is posted in
>> English then I will answer in English. That makes sense, whereas "no top
>> posting" does not.
>
>    No matter anymore.  You've expressed your distaste for the rules
> and your intent on disregarding them, which - in turn - shows that (a)
> you believe yourself to be beyond the need to respect the guidelines
> the rest of the community follows; and (b) you couldn't give a damn
> about contributing to good, solid archives.
>
>    There's certainly no way we can force you to follow the rules, so
> I'm done discussing it.  It's just a shame that it's not going to work
> out in a manner that doesn't speak volumes about your negative
> attitude toward others.
>
>    Best of luck in everything you do.
>
> --
> </Daniel P. Brown>
> daniel.brown@... || danbrown@...
> http://www.parasane.net/ || http://www.pilotpig.net/
> Check out our great hosting and dedicated server deals at
> http://twitter.com/pilotpig 

> From: Tony Marston
>
> > I do not follows rules which cannot be justified beyond the expression
> "It
> > is there, so obey it!" Why is it there? What are the alternatives?
> What harm
> > does it do? What happens if the rule is disobeyed? Top posting existed
> in
> > the early days of the internet, and for a logical reason. Then some
> arrogant
> > prat came along and said "I don't like this, so I am going to make a
> rule
> > which forbids it!". I don't like this rule, so I choose to disobey it.
>
> Daniel already explained to you why it is there. Long threads get too
> confusing with top posting. When posted correctly they read
> chronologically from top to bottom so they can be followed and
> understood when referenced a year or two later.
>
> Top posting did not exist in the early days of the Internet. I was
> active on email listserves and Usenet newsgroups 18 years ago, long
> before Microsoft discovered them and decided that top posting should be
> the norm. All of the other news and email clients I have ever used
> defaulted to bottom posting. It was only in Outlook 2003 that Microsoft
> finally removed that option completely. Previous versions allowed bottom
> posting and even handled the attribution markup correctly.
>
> Bob McConnell
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

> From: Tony Marston
>
> > I do not follows rules which cannot be justified beyond the expression
> "It
> > is there, so obey it!" Why is it there? What are the alternatives?
> What harm
> > does it do? What happens if the rule is disobeyed? Top posting existed
> in
> > the early days of the internet, and for a logical reason. Then some
> arrogant
> > prat came along and said "I don't like this, so I am going to make a
> rule
> > which forbids it!". I don't like this rule, so I choose to disobey it.
>
> Daniel already explained to you why it is there. Long threads get too
> confusing with top posting. When posted correctly they read
> chronologically from top to bottom so they can be followed and
> understood when referenced a year or two later.
>
> Top posting did not exist in the early days of the Internet. I was
> active on email listserves and Usenet newsgroups 18 years ago, long
> before Microsoft discovered them and decided that top posting should be
> the norm. All of the other news and email clients I have ever used
> defaulted to bottom posting. It was only in Outlook 2003 that Microsoft
> finally removed that option completely. Previous versions allowed bottom
> posting and even handled the attribution markup correctly.

> On Wed, Jul 8, 2009 at 11:53 AM, PJ<af.gourmet@...> wrote:
>  
>> Michael A. Peters wrote:
>>    
>>> Daniel Brown wrote:
>>>      
>>>>     First, a reminder to several (including some in this thread) that
>>>> top-posting is against the law here.
>>>>
>>>> On Wed, Jul 8, 2009 at 09:48, Martin Scotta<martinscotta@...>
>>>> wrote:
>>>>        
>>>>> $sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\'
>>>>> and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password
>>>>> .'\'))';
>>>>>          
>>>>     Second, another, more important reminder:
>>>>
>>>> <?php
>>>> $username = '" OR 1 OR "';
>>>> ?>
>>>>
>>>>     Since the first rows in a database are usually the default
>>>> administrator logins, the first to match what is basically a 'match if
>>>> this is a row' statement will be logged in.  The moral of the story:
>>>> don't forget to clean your input (which I'm sure ya'all were doing....
>>>> but with top-posters, you never know ;-P).
>>>>
>>>>        
>>> prepared statements really do a pretty good job at neutering sql
>>> injection. But one shouldn't be lazy with input validation anyway.
>>>
>>>      
>> I have a couple of questions/comments re all this:
>>
>> 1. Doing the login and processing through https should add a bit more
>> security, it seems to me.
>>    
>
> It does add security between your user's web browser and the web
> server. It's up to you to keep it secure once you receive it.
>
>  
>> 2. Cleaning is another bloody headache, for me anyway. I have found that
>> almost every time I try to do some cleaning with trim and
>> mysql_real_escape_string and stripslashes wipes out my usernames and
>> passwords. I havent' been able to use them when doing the crypt and
>> encrypt stuff with salt. Without cleaning it works fine... so, I'm a bit
>> lost on this.
>> Specifically, this wipes out my login and password... (I know, this is
>> old code, but it is supposed to work, no? )
>> //Function to sanitize values received from the form. Prevents SQL injection
>>    function clean($str) {
>>        $str = @trim($str);
>>        if(get_magic_quotes_gpc()) {
>>            $str = stripslashes($str);
>>        }
>>        return mysql_real_escape_string($str);
>>    }
>>
>>    //Sanitize the POST values
>>    $login = clean($_POST['login']);
>>    $password = clean($_POST['password']);
>>
>> When I echoes the cleaned $login and $password, they looked like they
>> had just gone through an acid bath before being hit by katerina
>> (hurricane)... ;-) rather whitewashed and empty. There was nothing left
>> to work with.
>>    
>
> One thing to check - I'm pretty sure that mysql_real_escape_string
> will only work if you have an open connection to mysql,