BINREV SPYD3R

Willhackforfood.biz

8 posts in this topic

wh4flogo.jpg
Willhackforfood.biz offered free disposable email accounts, unfortunately due to abuse we had to disable it a couple of months ago.

I made an attempt to get part of working again today. At the moment it does not do very much apart from allow you to create accounts, and view the raw mail messages, without any mime decoding etc, but at least it is better than the suspended page that was there.

Bugs I am aware of include:
- Poor error handling (I am used to being able to use PHP5’s throw’s which are not supported in PHP4).
- Logout link showing up when not logged in.
- Using autologin does not seem to set the correct cookie expiry in IE, and will unexpectedly log you out when reading messages.
- Some messages not showing up - the code is currently relying on the "To" header holding the WH4F email address to determine the recipient, and not all email senders put it in there.

http://www.digitaldawgpound.org/nick84/post=176
0

Share this post


Link to post
Share on other sites

Unfortunately not, I would like to someday, but it will not happen anytime soon.

Saying that it is pretty standard code at the moment - PEAR POP3 for reading emails from a catchall / *@willhackforfood.biz, and some custom login / reading code.

If there is any specific parts / concepts you are interested in, I could probably post up bits and pieces - let me know.

0

Share this post


Link to post
Share on other sites

I'm most interested in the login code, as that is the one part of a website I have never coded and I feel that I could learn a lot from it.

0

Share this post


Link to post
Share on other sites

I can not really give out the login code, it is class based anyway so probably more complicated than you need.

I have coded up a simple example see below that should get you started.

Only problem with it at the moment is that if the user has a "|" in their username / password it will break - but rather that than using two cookies. Ideally a regex should be used and the "|"'s escaped if entered as user data, but I have not managed to find a regex that will work so far.

Another approach rather than using cookies directly is to use php's sessions (however I tend to stay away from them due to concurrency / locking issues).

<?php

//Set blank username / password vars
$username = '';
$password = '';

//If logout clicked
if (isset($_GET['logout'])) {

//Then remove cookie
setcookie('auth', '', 0);

} else {

//If form is posted
if (isset($_POST['login_username'])) {

$username = $_POST['login_username'];
$password = md5($_POST['login_password']);

} else if (isset($_COOKIE['auth'])) {
//Otherwise if there is allready a cookie set

//Split cookie value into username / password
$cookieparts = explode('|', $_COOKIE['auth']);
$username = $cookieparts[0];
$password = $cookieparts[1];

}

}

//If is a username (ie user has a cookie, or attempted to login via post
if ($username) {

//Check if username / password are valid / look them up in the database
if ( ($username == 'myusername') && ($password == md5('mypassword')) ) {

//Set logged in flag
$loggedin = true;
$statusmessage = 'Login ok';

//Set cookie to remember login or future (save both username / password in same cookie)
setcookie('auth', "{$username}|{$password}");

} else {
//Set not logged in flag
$loggedin = false;
$statusmessage = 'Username / password incorrect';
}

} else {
//Set not logged in flag
$loggedin = false;
$statusmessage = 'Please login';
}




if ($loggedin == true) {

$self = htmlentities($_SERVER['PHP_SELF']);

echo <<<EOHTML

{$statusmessage}

<br />

Secret info here....<br />
<br />

[<a href="{$self}?logout=1">Logout</a>]

EOHTML;

} else {

$usernameh = htmlentities(isset($_POST['login_username']) ? $_POST['login_username'] : '');

$self = htmlentities($_SERVER['PHP_SELF']);
echo <<<EOHTML

{$statusmessage}
<form method="POST" action="{$self}" name="frm_login">
<table border="0" cellpadding="5" cellspacing="0" style="border-collapse: collapse" width="100%" bordercolor="#C0C0C0">
<tr>
<td width="100">Username:</td>
<td><input type="text" name="login_username" id="login_username" value="{$usernameh}" size="30"></td>
</tr>
<tr>
<td width="100">Password:</td>
<td><input type="password" name="login_password" id="login_password" value="" size="30"></td>
</tr>
<tr>
<td colspan="2"><input type="submit" value=" Login " name="login"></td>
</tr>
</table>
</form>
EOHTML;

}
?>

0

Share this post


Link to post
Share on other sites

I can not really give out the login code, it is class based anyway so probably more complicated than you need.

I have coded up a simple example see below that should get you started.

Only problem with it at the moment is that if the user has a "|" in their username / password it will break - but rather that than using two cookies. Ideally a regex should be used and the "|"'s escaped if entered as user data, but I have not managed to find a regex that will work so far.

Another approach rather than using cookies directly is to use php's sessions (however I tend to stay away from them due to concurrency / locking issues).

--code snipped --

From the bottom of my heart, thank you for the effort.

Perhaps keeping the un-encrypted, plain text password in the cookie is not a good idea. From a security perspective, that could be a liability.

I would store a hexed hash string instead, possibly containing both a md5 and sha1 to make the possibility of hash collisions more remote. Storing only that same hash pair on the server would make sure comprmise of the server could not give away password data.

I'm looking at the code now; Thank you once again.

0

Share this post


Link to post
Share on other sites
Perhaps keeping the un-encrypted, plain text password in the cookie is not a good idea. From a security perspective, that could be a liability.

The password is not stored as plain text in the cookie, it is stored as an md5 hash

[Line 19] $password = md5($_POST['login_password']);

If you are looking for extra security, I would recommend using a token approach - user posts username/password, server checks they are valid, and if so issues the user a "token" (ie 32 char unique string), this string is then associated with the user account at the server level, and the username/password or any hash of the password is ever stored on the users PC.

The above code was a "simple example".

0

Share this post


Link to post
Share on other sites

I'm going to be doing PHP/MYSQL stuff all day as part of seting up a server, but when I am done I will gladly look into this more.

Thank you for your time.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now