Base64 in Database
Hi everyone,
I'm making a website where users can login/register. But I want to protect myself against SQL Injections/XSS. So I have an idea, but I would like to hear if it is safe or if there are better ways :) So this is what I am going to do: I have this piece of PHP code:
$sql = "SELECT * FROM users WHERE user = '" . base64_encode($input) . "'";
Now, I think nothing can go wrong, when I decode the input to base64 and all the data in the DB is (of course) encrypted in base64 as well.
I've chosen for base64, because there is the base64_encode en base64_decode function (not with encryptions like md5).
I have another question (about PHP sessions): it it safe when I save data in the $_SESSION array? I think it is, but not sure about it :S
Hope someone can give me answers :D:D Greetz MH-IA
It would protect from SQL injection, but not XSS. There are faster and more secure ways to do it. Just use strip_tags() and mysql_real_escape_string() on all user input. ;) Those functions are ment to protect from the vulnerabilities you mentioned. Nice idea though…
Edit: Sessions are stored on the server, so as long as the attacker doesn't have access to the server, it's safe.
Thanks for the replies!
So this bit of code:
$sql = "SELECT * FROM users WHERE user = '" . mysql_real_escape_string(strip_tags($input)) . "'";
Would protect me against Sql Injection AND XSS? I knew the strip_tags function but I didn't use it because if a user types e.g. ' or '1=1– it would have any effect… But I didn't knew the mysql_real_escape_string function, thanks for that!
COM wrote: [quote]454447415244 wrote: You really don't find a security difference between the two implementation?!
I'm note sure what you meant there so… yes?
454447415244 wrote: Have you ever seen a good site that stores passwords as base_64?! Did I say it was a good, secure thing and he should use that for password encryption/hasing? My memory must be bad, I could've sworn I didn't. What I was saying was merely that what you were talking about was not what the OP meant, nor what he was requesting ideas and assistance with. It is somewhat relevant and a good topic to add on to it, merely stating that you shouldn't answer questions wrongly like it's what he's after. For all you know the OP might actually be well aware of what you're saying, maybe he's thinking of md5 hashing the passwords before base64 encoding them.[/quote]
I do know well what the OP was talking about. And I felt the need to add this since he wrote:
I've chosen for base64, because there is the base64_encode en base64_decode function (not with encryptions like md5).
So, no. He's not thinking about md5 hashing the passwords before base64 encoding them.
It is not always necessary to stick to the main question. We must add/clarify some ideas when we feel the need of.
454447415244 wrote: [quote] I've chosen for base64, because there is the base64_encode en base64_decode function (not with encryptions like md5).
So, no. He's not thinking about md5 hashing the passwords before base64 encoding them. [/quote] He never said that he wouldn't use md5 for passwords, he needed something with an ability to decrypt, so he didn't want to use md5. You previously asked why. Well, let's say he wants to safely store messages or content in a database, like these messages we write here, without worrying about sql injections. Would it be a good idea to not decode base64 before sending it off as html? No. Would it be good to hash messages like these posts or other content as md5? Good luck decoding that and posting it as readable html. That was his point, it was a fairly decent idea, still needs xss prevention for instance as already mentioned. but the ability to decode would be important in his idea, so obviously he'd choose that.
Don't use strip_tags, it's still vulnerable to XSS injections. Read up on htmlentities().
As everyone else said, base64 is not secure. At all. It wouldn't be hard for an attacker to recognize that you are using base64 and then it could easily be decoded.
mysql_real_escape_string is good, but if you want to be more secure use regex to validate user input (preg_match() and preg_replace()).
MH-IA wrote: I have another question (about PHP sessions): it it safe when I save data in the $_SESSION array? I think it is, but not sure about it
If you run any of the values from your sessions to an sql query, then it's possible to make an sql injection, so just be sure to sanitize the values. Other than that though you should be good. Really the worst thing i've seen with sessions is that I got the page to display the site's path in an error message by adding random values to the PHPSESSID cookie. Not too bad, but if you have sql vulns then it's potentially dangerous.
COM wrote: [quote]454447415244 wrote: [quote] I've chosen for base64, because there is the base64_encode en base64_decode function (not with encryptions like md5).
So, no. He's not thinking about md5 hashing the passwords before base64 encoding them. [/quote] He never said that he wouldn't use md5 for passwords, he needed something with an ability to decrypt, so he didn't want to use md5. You previously asked why. Well, let's say he wants to safely store messages or content in a database, like these messages we write here, without worrying about sql injections. Would it be a good idea to not decode base64 before sending it off as html? No. Would it be good to hash messages like these posts or other content as md5? Good luck decoding that and posting it as readable html. That was his point, it was a fairly decent idea, still needs xss prevention for instance as already mentioned. but the ability to decode would be important in his idea, so obviously he'd choose that.[/quote]
Well, you are posting just for the sake of arguing.
If you read well, you will see that this is what he wrote:
I'm making a website where users can login/register.
So it's about logging-in and not about storing messages. </EndOf>
454447415244 wrote: Well, you are posting just for the sake of arguing.
I'm saying the same about you.
454447415244 wrote: If you read well, you will see that this is what he wrote: [quote] I'm making a website where users can login/register.
So it's about logging-in and not about storing messages.[/quote] If you read well you'll notice that he doesn't mention the secure storage of the passwords anywhere and that his code doesn't even include passwords, only usernames. Usernames are information usually displayed, if there are users there will probably be information stored for them that will be displayed. You got your question answered why he wanted it, you answered the wrong question, he got some extra information, now be happy and shut it.
</EndOf>
When I store data (base64 encoded), how can someone find out all data in the db is that way encrypted?? If someone don't know, how can it be unsafe? I'm busy with searching good methods to protect my site against XSS. Why would strip_tags not work? I mean, it removes all the html tags, right? html_enities seems like a good method, cause it replaces chars as < and > etc. I am now at school, but I will try the methods you guys mentioned this afternoon.
Okay, as I said, I will try out some methods later today and I have a problem with images. I have written a php script that paints an image with 5 random characters (for image validation). Now, I would like to save the 5 chars in a cookie, but of course thats very unsafe. So I have to find a method to encrypt it safely. I don't like it when bots automatically register on my website, so that's why I want it encrypted. I thought about md5 (the script encrypts the input to md5 and checks if it is the same as in the cookie), but not sure if it is that secure…
MH-IA wrote: Okay, as I said, I will try out some methods later today and I have a problem with images. I have written a php script that paints an image with 5 random characters (for image validation). Now, I would like to save the 5 chars in a cookie, but of course thats very unsafe. So I have to find a method to encrypt it safely. I don't like it when bots automatically register on my website, so that's why I want it encrypted. I thought about md5 (the script encrypts the input to md5 and checks if it is the same as in the cookie), but not sure if it is that secure…
If the chars are in the cookie, that means that the bot can get the information. It would be safer if you stored them in a session variable. Then all you have to store in the cookie is the session id, which is done automatically.
COM wrote: [quote]454447415244 wrote: Well, you are posting just for the sake of arguing.
I'm saying the same about you.
454447415244 wrote: If you read well, you will see that this is what he wrote: [quote] I'm making a website where users can login/register.
So it's about logging-in and not about storing messages.[/quote] If you read well you'll notice that he doesn't mention the secure storage of the passwords anywhere and that his code doesn't even include passwords, only usernames. Usernames are information usually displayed, if there are users there will probably be information stored for them that will be displayed. You got your question answered why he wanted it, you answered the wrong question, he got some extra information, now be happy and shut it.
</EndOf>[/quote]
Simply. You shut it. Not me! Quit trying to be the thread moderator. You're trying to talk instead of the OP thinking you're defending him/his ideas. The OP post after yours has proved me right.
454447415244 wrote: Simply. You shut it. Not me! Quit trying to be the thread moderator. You're trying to talk instead of the OP thinking you're defending him/his ideas. The OP post after yours has proved me right.
Oh noooo, tragedy strikes as the possibility comes up that you just don't respond to something that doesn't need responding to anyhow. You asked why he wanted it, I answered, you got your answer, I've even said that even though you answered something wrong the extra information is somewhat relevant and might be of interest. But let's just continue to ignore any point where we might agree as that'd make it difficult for you to excuse you being upset and throwing a tantrum over what I write. Yes, you got me, my biggest dream is to be this thread's moderator. I've been wanting that since I was a little child and I'm living out all my fantasies now that the opportunity came along. I don't know what I will do with my life now that you're on to me. The OP's post after mine hasn't proven you right in any way. Holy balls! The OP doesn't really know how these things work and doesn't know the difference between a hash and an encryption. It's only natural that he'd ask about it if it's been brought up. It's different forms of security that's been mentioned now, the OP probably doesn't even distinguish between those when someone says that something's less secure than something else.
Now go ahead, answer it so you won't have to commit suicide over the shame of not posting a response. And let's just leave it at that.
I have now this function :
{
$chars = array('`', '~', '!', '#', '$', '%', '^', '(', ')', '=', '+', '[', ']', '\\', ';', '\'', ',', '/', '{', '}', '|', ':', '"', '<', '>', '?', ' ');
$repl = array('');
$input = str_replace($chars, $repl, $input);
return $input;
}```
So inputs like "<script>alert(document.cookie)</script>" and "' or '1=1--" wont work. Maybe I can send the data SHA-encrypted? Don't know if it is really more secure to store data not-encrypted?
@spyware: Thx for the link, I will take a look at it :D
MH-IA wrote: Don't know if it is really more secure to store data not-encrypted?
It's not necessarily a question of safety for the site, but to protect the integrity/anonymity of the users. Let's say that your site is breached in a way that they can acquire the contents of the user/pass table. In that scenario if they are hashed with something really secure then odds are that the person can't get their passwords through it even though he has a list of the hashes. If they're plaintext on the other hand, then he just has to look at it to know what it is they're using.
MH-IA wrote: When I store the data SHA encrypted and I have to echo the username of someone, how can I do that? There is no function to decrypt sha.. I can store the data normal and sha encrypted, but I don't think that has any effect
SHA is a hashing algorithm. it is not reversible. You need to use an encryption method (base64 for example) to be able to reverse it.
Why do you need to encrypt the username anyways?
I just rembered something: I had to make a program a couple of weeks ago (in C#). Had to make a login form and the password was encrypted stored and it was also decryptable. I used Rijndael for this. I've found this example, so I will try to do it this way.
[EDIT] Got test.php:
class RijndaelManager
{
$mykey = "THISisMyKey";
function linencrypt($pass)
{
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$cryptedpass = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $this->$mykey, $pass, MCRYPT_MODE_ECB, $iv);
return $cryptedpass;
}
function lindecrypt($enpass)
{
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$decryptedpass = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $this->$mykey, $enpass, MCRYPT_MODE_ECB, $iv);
return rtrim($decryptedpass);
}
}
?> ```
and test2.php:
```markup<?php
require("test.php");
$r = new RijndaelManager();
$p = $r->linencrypt("test");
echo "Encrypted: " . $p . "<br>";
echo "Decrypted: " . $r->lindecrypt($p);
?>```
but unfortunally, it's not working ... :S THink there is an error in test.php but I can't find it; everything seems OK?????
[/EDIT]