Could this script be improved?_问答_开发者_运维开发者技术经验分享

Ok, i'm wondering if this code stored in user_login.php could be improved or if i'm doing it wrong. I'm confused because all my script in the application are long about 30-40 lines only and i was wondering if i am missing something.

This script is called with an ajax call like everyone else in my application except for template files.

<?php

# Ignore
if (!defined('APP_ON')) { die('Silence...'); }

# Gets the variables sent
$user_name = post('user_name');
$user_password = extra_crypt(post('user_password'));

# Check if the user exists
if (!user::check($user_name, $user_password)) { template::bad($lang['incorrect_login']); }

# Logging in
$id = user::get_id($user_name, $user_password);
$u = new user($id);
$u->login();
template::good($lang['correct_login']);

?>

I'm going to explain it:

# Ignore
if (!defined('APP_ON')) { die('Silence...'); }

This basically check that the file is not called directly. Each url is redirected to an index.php file that manage the url (es: www.mysite.com/user/view/id/1) and include the right file. In the first lines of this index.php file there is a define('APP_ON', true);. The index file also initialize the application calling some set of functions and some classes.

# Gets the variables sent
$user_name = post('user_name');
$user_password = extra_crypt(post('user_password'));

The function post() manage the recovering of $_POST['user_name'] making some checks. The function extra_crypt() just crypt the password using sha1 and a custom alghoritm. I'm using prepared statement for sql queries so don't worry about escaping post variables.

# Check if the user exists
if (!user::check($user_name, $user_password)) { template::bad($lang['incorrect_login']);

The user class has both static and normal methods. The static ones doesn't require an id to start from, normal methods does. For example user::check(); does check if the username and the password exists in the database. The template class has just two static methods (template::bad() and template::good()) that manage fast dialog box to send to the user without any header or 开发者_运维问答footer. Instead if you instantiate the class $t = new template('user_view'), the template user_view_body.php is called and you can manage that page with $t->assign() that assign static vars to the template, or with $t->loop() that start a loop etc. Finally $lang is an array having some common strings in the language set by the user.

# Logging in
$id = user::get_id($user_name, $user_password);
$u = new user($id);
$u->login();
template::good($lang['correct_login']);

At the end we have the actual login. The user class is instantiated and an id is recovered. The user with that id is logged in and we return a template::good() message box to the user. For any clarification write a comment above.

First of all a message digest function like sha1 is not an encryption function. So please remove crypt from the function name to avoid confusion. Further more, this whole idea of a "custom algorithm" for storing passwords scares the hell out of me. sha256 is a better choice than sha1, but sha1 isn't all that bad after all its still a NIST approved function. Unlike md5 no one has been able to generate a collision for sha1 (although this will happen in the new few years). If you do go with sha1 make sure the salt is a prefix, as to thwart the prefixing attack.

Input validation must always be done at the time of use. the post() function should not be responsible for any input validation or escaping. This is just an incarnation of magic_quotes_gpc which is being removed because its a security train wreak.

Parametrized Query libraries like PDO and ADODB are very good and I recommended using it. This is a great example of sanitizing at the time of use.

Your template assign() method can be used to sanitize for XSS. Smarty comes with a htmlspecialchars output filter module which does this.

With so much functionality behind functions that you haven't provided, it's hard to say whether anything needs to be fixed. Are you making sure the input is clean in post()? Are your database calls secure in user::check()? Are you using session cookies to simplify user prefs/info storage? Is your template class well-written? When you create a new user, are you logging all the necessary information (time of login, IP address if necessary, etc)? Are you ensuring that the user isn't doubly logged in, if that's important here?

The only concrete thing I can tell you about what you wrote is that the sha1 algorithm is completely broken, and you should be using something else instead; see the comments below for suggestions.