PHP Your Authenticode code security code? _php Tips

Source: Internet
Author: User
Tags setcookie administrator password
The main role of the verification code is to prevent violent cracking, to prevent malicious irrigation, to prevent automatic submission, and so on, here I will not say more. The type of the verification code also has numbers, letters and so on, and even the more powerful points of Chinese. But no matter how bad your verification code is, as long as you have the following errors in the form verification, your verification code is in a fake!

The general idea of the verification code is to access a script file every time you log in, which generates a picture with a captcha and writes the value to the session, and when you submit it, the script verifies that the code submitted is consistent with the session.

The problem arises, in the login password error, we do not access to generate validation pictures of the file, then if the session of the verification code is not emptied, at this time the verification code is the same as last time, the hard construction of the verification code mechanism is in the form of a fake.

Let's take a look at some of the problematic code here:
Landing section:

CODE:
<TR>
<TD>Administrator Name: -->TD>
<TD><input type="Text"name="username"/> -->TD>
-->TR>
<TR>
<TD>Administrator Password: -->TD>
<TD><input type="Password"name="Password"/> -->TD>
-->TR>
<TR>
<TD>Verification Code: -->TD>
<TD><input type="Text"name="Captcha"onkeyup="Presscaptcha (This)"/> -->TD>
-->TR>
<TR>
<TD colspan="2"Align="Right">
<img SRC="index.php?act=captcha&1628020115"width="145"Height="a"alt="CAPTCHA"Border="1"onclick=  This.src="index.php?act=captcha&"+Math.Random() style="Cursor:pointer;"title="Can't see clearly?" Click Replace another verification code. " />
TD>
tr>
?>
Here is no problem, to see the login verification code (I think this kind of validation ideas, but also most people are using the bar):

CODE:
/*------------------------------------------------------ */
--Verify login information
/*------------------------------------------------------ */
if ($_request[' act '] == ' signin ')
{
Include ('.. /includes/cls_captcha.php ');

/ * Check the verification code is correct * *
$validator= newCaptcha();
if (!$validator->Check_word($_post[' Captcha ']))
{
sys_msg($_lang[' Captcha_error '], 1);
}

/ * Check password is correct * *
$sql= "Select user_id, user_name, password, action_list from".$ecs->Table(' Admin_user ').
"WHERE user_name= ' $_post[username] ' and password= '".MD5($_post[' Password ']). "'";
$row= $db->GetRow($sql);

if ($row)
{
//Login Successful
set_admin_session($row[' user_id '], $row[' user_name '], $row[' Action_list ']);

//Update last logon time and IP
$db->Execute("UPDATE".$ecs->Table(' Admin_user ').
"SET last_time= '".Date(' y-m-d h:i:s ',  Time()). "', last_ip= '".real_ip(). "'".
"WHERE user_id=$_session[admin_id]") OR die ($db->errormsg());

if (Isset ($_post[' Remember ']))
{
Setcookie(' ecscp[admin_id] ',    $row[0],  Time() + 3600*  -* 360);
Setcookie(' Ecscp[admin_pass] ',  MD5($row[' Password '] . $_cfg[' Hash_code ']),  Time() + 3600*  -* 360);
}

Header(' location:./');
}
Else
{
sys_msg($_lang[' Login_faild '], 1);
}
}
?>
The problem is in the above code, after checking the password error, and did not update the verification code, so we can take the landing page of the Verification Code picture part of the removal, and as long as the URL access to the page authentication code, you can only submit the user name, password, just get the verification code to achieve brute force to crack, using this method, The same can be achieved irrigation, such as brush tickets.
You can look at the following picture, enhance the point of intuitive understanding.
' This.width= '; if (this.height> ') ' this.height= '; border=0>

Solution: We need to check the password after the error to update the code, for messages, and other types, but also to update the verification code after the successful submission.

Security is the case, we always want to make their own procedures more secure, but under normal circumstances, we always walk in the conventional thinking, so that we have a lot of "unconventional loopholes", or called "defects", in short, is not perfect. I write this article in addition to point out the above problem, but also hope that everyone can act up, with "unconventional" vision, re-examine their own procedures, more previously did not find the small problem of the post, so that everyone together to improve!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.