Web Design and Programming Pt 21

[ad_1]
I create an extremely secure PHP Login Script using Regular Expressions, CAPTCHA, Encryption, Multiple Random Tokens and Session Token Regeneration.
If you can find a way in, I’d be interested to find out how?
Code is Here:


Posted

in

by

Tags:

Comments

31 responses to “Web Design and Programming Pt 21”

  1. alexander shekhtman Avatar

    got it working but it always failed. i checked the code over and over. i even got a sample code using previous version of of captcha but that uses a class.funcion with just two arguments. when i use that one it also fails but a positive fail–it never shows a success  that it promised. no matter if i use the old widget that shows up or the new one that came from a div tag with my inline public key,  it always says incorrect key. i looked at every " " and nothing. .the code is perfect everywhere so i am thinking i can't use it offline. what do you think?

  2. alexander shekhtman Avatar

    i got my public and private keys from google but i think they are linked to website? it says when i pass the pre-test that i need to register an api?

  3. alexander shekhtman Avatar

    there is a new captcha that i got that is under form. i tried to make both of them work but it doesn't
    where do i put my private and public keys–which fill and where exactly in the code. am thinking you can't test on a localhost anymore with captcha?

  4. alexander shekhtman Avatar

    this is how to set up the server side of captcha but i have no clue what this means can someone please help me:
    Verifying the user's response

    This page explains how to verify a user's response to a reCAPTCHA challenge from your application's backend. When a reCAPTCHA is solved by end user, a new field (g-recaptcha-response) will be populated in HTML. You can verify the user’s response in one of three ways:

    g-recaptcha-response POST parameter when the user submits the form on your site
    grecaptcha.getResponse(opt_widget_id) after the user completes the CAPTCHA challenge
    As a string argument to your callback function if data-callback is specified in either the g-recaptcha tag attribute or the callback parameter in the grecaptcha.render method
    API Request

    URL: https://www.google.com/recaptcha/api/siteverify?secret=your_secret&response=response_string&remoteip=user_ip_address

    Parameter Description
    secret Required. The shared key between your site and ReCAPTCHA.
    response Required. The user response token provided by the reCAPTCHA to the user and provided to your site on.
    remoteip Optional. The user's IP address.

  5. alexander shekhtman Avatar

    maybe there are really three files? is all that code in the same first file or maybe there is a lignin file?

  6. alexander shekhtman Avatar

    what does the @ mean in this directory listing:
    drwx-@  53 alexander  staff  1802 Dec 21 00:50 Library vs. this line:
    drwx-+  31 alexander  staff  1054 Dec 22 14:08 Desktop (what does the + mean) vs. nothing at the end of permissions?

  7. alexander shekhtman Avatar

    i got the code of your site now where do i place the files and what permissions with which ownership>
    thank you. learning a lot thanks to you. may you be blessed with a healthy, successful, fruitful, new year!

  8. Derek Banas Avatar

    I actually use frameworks for security now. Specifically I use Zend

  9. Michael Stokes Avatar

    Wouldn't it be more secure to use prepared statements instead of putting the value inside single quotes. So you select username from users where user = ? and password = ?.
    Then there are functions that fill in the ? marks values.

  10. Derek Banas Avatar

    Sorry, but these php security tutorials are the only videos I have made on the topic. Some day Ill cover php like I have with java

  11. Yinghan Wang Avatar

    Hi Derek, your videos are great. Im just wondering if you have anything on php email security issues. Sorry I can't be more specific but Im sure anything in your mind can be very helpful. You are a true sharer and,again, thank you.

  12. Derek Banas Avatar

    Not as far as I know. I checked and didn't dig up any

  13. Jeff Lever Avatar

    Are there any security risks associated with using MYSQL_ASSOC instead of MYSQL_NUM? It just seems like it's easier to find the data in the array that way.

  14. Jeff Lever Avatar

    Hi again Derek,
    When sanitizing the user input data, is using the escape_data php function essentially the same as mysql_real_escape_string?

  15. Derek Banas Avatar

    Yes you are correct. Here is the full answer to your question stackoverflow. com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php

  16. basheersubei Avatar

    I'm a little confused here… So why are you using mysql_affected_rows and not mysql_num_rows in line 46?

    The documentation says about mysql_affected_rows: "To retrieve the number of rows returned by a SELECT, it is *possible* to use mysql_num_rows()."

    it is possible, or recommended? I'm assuming it's both do the same thing.

    But I remember you saying something about num_rows being insecure or something…

    Did I miss something here?

  17. Derek Banas Avatar

    They look very similar, but I always use google catcha

  18. Clark Vincent Enriquez Avatar

    hey I have a question. how much more secure using recaptcha that you are using in this video than of that in generating captcha by GD?

  19. Derek Banas Avatar

    Thank you 🙂 You could always surround any potentially harmful code with symbols that would negate it and then eliminate those symbols when they are displayed. As long as the comment never has the chance to execute it can do no harm

  20. Derek Banas Avatar

    Yes you should double and triple check everything. Soon I'll introduce some frameworks that will make securing a web application much easier

  21. Derek Banas Avatar

    I've been wanting to cover design patterns for a long time. The tutorial after XML will be on design patterns

  22. Derek Banas Avatar

    Always trust the code over what comes out of my mouth 🙂 I sometimes say silly things. I improv most of these tutorials and sometimes my words get jumbled up. I hope I don't do that much anymore

  23. Derek Banas Avatar

    I know there are exploits for for sha() and I should have used something more secure like aes. I'm not sure if I did this in the video, but I should have also added a random salt before encryption? This part of the tutorial needs to be redone. This was my first take at making a BIG tutorial and I'll fix it soon

  24. poolpool89 Avatar

    After $u && $p && $captcha are true, can i pass the variables userid and pass to a class method of my user handler to do the rest? is that secure ?

  25. Derek Banas Avatar

    @RedShadowHF Yes you could do that as well. Thanks for pointing that out

  26. Reynaldo Avatar

    this rocks! thanks bro. it helps alot. God Bless you.

  27. Derek Banas Avatar

    @sie85 In future parts of this tutorial series I use it every time the user moves from page to page. I also force the session id to change each time they go to a new page.

  28. De Sietse Avatar

    Where do you use this token_id you store in the session and user table.

  29. andreipreda07 Avatar

    @derekbanas i've watched it, thx:)

  30. Derek Banas Avatar

    @andreipreda07 Check out my php security pt 4 video. It will explain everything on how to create a new user registration script. If you have any questions after that just send them over. Thanks 🙂

  31. andreipreda07 Avatar

    thx! this helped a lot, but i have somq questions.
    how do you store the users?
    can you make a new special table or,
    do you have to use the user table, from mysql?

Leave a Reply

Your email address will not be published. Required fields are marked *