PHP Your Authenticode code security code?

PHP Your Authenticode code security code? _php Tips

Last Update:2017-01-18 Source: Internet

Author: User

Tags setcookie administrator password

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

The main role of the verification code is to prevent violent cracking, to prevent malicious irrigation, to prevent automatic submission, and so on, here I will not say more. The type of the verification code also has numbers, letters and so on, and even the more powerful points of Chinese. But no matter how bad your verification code is, as long as you have the following errors in the form verification, your verification code is in a fake!

The general idea of the verification code is to access a script file every time you log in, which generates a picture with a captcha and writes the value to the session, and when you submit it, the script verifies that the code submitted is consistent with the session.

The problem arises, in the login password error, we do not access to generate validation pictures of the file, then if the session of the verification code is not emptied, at this time the verification code is the same as last time, the hard construction of the verification code mechanism is in the form of a fake.

Let's take a look at some of the problematic code here:
Landing section:

CODE:

<TR>
<TD>Administrator Name: -->TD>
<TD><input type="Text"name="username"/> -->TD>
-->TR>
<TR>
<TD>Administrator Password: -->TD>
<TD><input type="Password"name="Password"/> -->TD>
-->TR>
<TR>
<TD>Verification Code: -->TD>
<TD><input type="Text"name="Captcha"onkeyup="Presscaptcha (This)"/> -->TD>
-->TR>
<TR>
<TD colspan="2"Align="Right">
<img SRC="index.php?act=captcha&1628020115"width="145"Height="a"alt="CAPTCHA"Border="1"onclick= This.src="index.php?act=captcha&"+Math.Random() style="Cursor:pointer;"title="Can't see clearly?" Click Replace another verification code. " />
TD>
tr>
?>

Here is no problem, to see the login verification code (I think this kind of validation ideas, but also most people are using the bar):

CODE:

/*------------------------------------------------------ */
--Verify login information
/*------------------------------------------------------ */
if ($_request[' act '] == ' signin ')
{
Include ('.. /includes/cls_captcha.php ');

/ * Check the verification code is correct * *
$validator= newCaptcha();
if (!$validator->Check_word($_post[' Captcha ']))
{
sys_msg($_lang[' Captcha_error '], 1);
}

/ * Check password is correct * *
$sql= "Select user_id, user_name, password, action_list from".$ecs->Table(' Admin_user ').
"WHERE user_name= ' $_post[username] ' and password= '".MD5($_post[' Password ']). "'";
$row= $db->GetRow($sql);

if ($row)
{
//Login Successful
set_admin_session($row[' user_id '], $row[' user_name '], $row[' Action_list ']);

//Update last logon time and IP
$db->Execute("UPDATE".$ecs->Table(' Admin_user ').
"SET last_time= '".Date(' y-m-d h:i:s ', Time()). "', last_ip= '".real_ip(). "'".
"WHERE user_id=$_session[admin_id]") OR die ($db->errormsg());

if (Isset ($_post[' Remember ']))
{
Setcookie(' ecscp[admin_id] ', $row[0], Time() + 3600* -* 360);
Setcookie(' Ecscp[admin_pass] ', MD5($row[' Password '] . $_cfg[' Hash_code ']), Time() + 3600* -* 360);
}

Header(' location:./');
}
Else
{
sys_msg($_lang[' Login_faild '], 1);
}
}
?>

The problem is in the above code, after checking the password error, and did not update the verification code, so we can take the landing page of the Verification Code picture part of the removal, and as long as the URL access to the page authentication code, you can only submit the user name, password, just get the verification code to achieve brute force to crack, using this method, The same can be achieved irrigation, such as brush tickets.
You can look at the following picture, enhance the point of intuitive understanding.
' This.width= '; if (this.height> ') ' this.height= '; border=0>

Solution: We need to check the password after the error to update the code, for messages, and other types, but also to update the verification code after the successful submission.

Security is the case, we always want to make their own procedures more secure, but under normal circumstances, we always walk in the conventional thinking, so that we have a lot of "unconventional loopholes", or called "defects", in short, is not perfect. I write this article in addition to point out the above problem, but also hope that everyone can act up, with "unconventional" vision, re-examine their own procedures, more previously did not find the small problem of the post, so that everyone together to improve!

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More