Jump to content


Photo
- - - - -

Willhackforfood.biz


  • Please log in to reply
7 replies to this topic

#1 BINREV SPYD3R

BINREV SPYD3R

    I should go outside once in a while

  • Members
  • 2,564 posts

Posted 18 November 2006 - 07:38 PM

Posted Image
Willhackforfood.biz offered free disposable email accounts, unfortunately due to abuse we had to disable it a couple of months ago.

I made an attempt to get part of working again today. At the moment it does not do very much apart from allow you to create accounts, and view the raw mail messages, without any mime decoding etc, but at least it is better than the suspended page that was there.

Bugs I am aware of include:
- Poor error handling (I am used to being able to use PHP5’s throw’s which are not supported in PHP4).
- Logout link showing up when not logged in.
- Using autologin does not seem to set the correct cookie expiry in IE, and will unexpectedly log you out when reading messages.
- Some messages not showing up - the code is currently relying on the "To" header holding the WH4F email address to determine the recipient, and not all email senders put it in there.

http://www.digitalda...nick84/post=176

#2 feverdream

feverdream

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 341 posts
  • Location:Here.

Posted 19 November 2006 - 04:03 PM

Is the code open source?

#3 nick84

nick84

    Member

  • Agents of the Revolution
  • 1,680 posts
  • Gender:Male

Posted 20 November 2006 - 02:51 PM

Unfortunately not, I would like to someday, but it will not happen anytime soon.

Saying that it is pretty standard code at the moment - PEAR POP3 for reading emails from a catchall / *@willhackforfood.biz, and some custom login / reading code.

If there is any specific parts / concepts you are interested in, I could probably post up bits and pieces - let me know.

#4 feverdream

feverdream

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 341 posts
  • Location:Here.

Posted 20 November 2006 - 04:08 PM

I'm most interested in the login code, as that is the one part of a website I have never coded and I feel that I could learn a lot from it.

#5 nick84

nick84

    Member

  • Agents of the Revolution
  • 1,680 posts
  • Gender:Male

Posted 20 November 2006 - 06:34 PM

I can not really give out the login code, it is class based anyway so probably more complicated than you need.

I have coded up a simple example see below that should get you started.

Only problem with it at the moment is that if the user has a "|" in their username / password it will break - but rather that than using two cookies. Ideally a regex should be used and the "|"'s escaped if entered as user data, but I have not managed to find a regex that will work so far.

Another approach rather than using cookies directly is to use php's sessions (however I tend to stay away from them due to concurrency / locking issues).

<?php

//Set blank username / password vars
$username = '';
$password = '';

//If logout clicked
if (isset($_GET['logout'])) {

	//Then remove cookie
	setcookie('auth', '', 0);

} else {

	//If form is posted
	if (isset($_POST['login_username'])) {

		$username = $_POST['login_username'];
		$password = md5($_POST['login_password']);

	} else if (isset($_COOKIE['auth'])) {
		//Otherwise if there is allready a cookie set

		//Split cookie value into username / password
		$cookieparts = explode('|', $_COOKIE['auth']);
		$username = $cookieparts[0];
		$password = $cookieparts[1];

	}

}

//If is a username (ie user has a cookie, or attempted to login via post
if ($username) {

	//Check if username / password are valid / look them up in the database
	if ( ($username == 'myusername') && ($password == md5('mypassword')) ) {

		//Set logged in flag
		$loggedin = true;
		$statusmessage = 'Login ok';

		//Set cookie to remember login or future (save both username / password in same cookie)
		setcookie('auth', "{$username}|{$password}");

	} else {
		//Set not logged in flag
		$loggedin = false;
		$statusmessage = 'Username / password incorrect';
	}

} else {
	//Set not logged in flag
	$loggedin = false;
	$statusmessage = 'Please login';
}




if ($loggedin == true) {

	$self = htmlentities($_SERVER['PHP_SELF']);

	echo <<<EOHTML

{$statusmessage}

<br />

Secret info here....<br />
<br />

[<a href="{$self}?logout=1">Logout</a>]

EOHTML;

} else {

	$usernameh = htmlentities(isset($_POST['login_username']) ? $_POST['login_username'] : '');

	$self = htmlentities($_SERVER['PHP_SELF']);
	echo <<<EOHTML

{$statusmessage}
<form method="POST" action="{$self}" name="frm_login">
<table border="0" cellpadding="5" cellspacing="0" style="border-collapse: collapse" width="100%" bordercolor="#C0C0C0">
	<tr>
		<td width="100">Username:</td>
		<td><input type="text" name="login_username" id="login_username" value="{$usernameh}" size="30"></td>
	</tr>
	<tr>
		<td width="100">Password:</td>
		<td><input type="password" name="login_password" id="login_password" value="" size="30"></td>
	</tr>
	<tr>
		<td colspan="2"><input type="submit" value=" Login " name="login"></td>
	</tr>
</table>
</form>
EOHTML;

}
?>


#6 feverdream

feverdream

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 341 posts
  • Location:Here.

Posted 24 November 2006 - 08:36 PM

I can not really give out the login code, it is class based anyway so probably more complicated than you need.

I have coded up a simple example see below that should get you started.

Only problem with it at the moment is that if the user has a "|" in their username / password it will break - but rather that than using two cookies. Ideally a regex should be used and the "|"'s escaped if entered as user data, but I have not managed to find a regex that will work so far.

Another approach rather than using cookies directly is to use php's sessions (however I tend to stay away from them due to concurrency / locking issues).
--code snipped --



From the bottom of my heart, thank you for the effort.

Perhaps keeping the un-encrypted, plain text password in the cookie is not a good idea. From a security perspective, that could be a liability.

I would store a hexed hash string instead, possibly containing both a md5 and sha1 to make the possibility of hash collisions more remote. Storing only that same hash pair on the server would make sure comprmise of the server could not give away password data.

I'm looking at the code now; Thank you once again.

#7 nick84

nick84

    Member

  • Agents of the Revolution
  • 1,680 posts
  • Gender:Male

Posted 25 November 2006 - 11:54 AM

Perhaps keeping the un-encrypted, plain text password in the cookie is not a good idea. From a security perspective, that could be a liability.

The password is not stored as plain text in the cookie, it is stored as an md5 hash

[Line 19] $password = md5($_POST['login_password']);

If you are looking for extra security, I would recommend using a token approach - user posts username/password, server checks they are valid, and if so issues the user a "token" (ie 32 char unique string), this string is then associated with the user account at the server level, and the username/password or any hash of the password is ever stored on the users PC.

The above code was a "simple example".

#8 feverdream

feverdream

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 341 posts
  • Location:Here.

Posted 26 November 2006 - 01:51 PM

I'm going to be doing PHP/MYSQL stuff all day as part of seting up a server, but when I am done I will gladly look into this more.

Thank you for your time.




BinRev is hosted by the great people at Lunarpages!