OpenID for CodeIgniter made easy – All about it

Oct 21st

Posted by dekarvn in PHP/MySQL

1 comment

A few months back, I have been struggling to have openID authentication loaded to my application. It’s a hazard… the simple idea of having it integrated to my application and have users logged in using their existing facebook, google account is pretty fancy, but the code behind it is a mess, a complete tragedy. Luckily RPXNow stepped in and provided me a hand in authenticate people and handling the magic works. No one likes to reinvent the wheel after all, and this is a PRETTY HARD wheel to deal with…

how_diagram

How RPX Works

Also, I’ve been exposed to the wonderful world of Codeigniter, and have found a wonderful library handling all the dirty works for me, (75% of those have been dealt with by RPXNow). All I have to do is have a small iframe in my view, and then deal with what I have to offer when I have successfully authenticated the users.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
function login()
{
    $this->load->library('openidrpx');

    // In the view, display an iframe pointing to the "embedurl"
    $this->load->view('loginview', array('embedurl', $this->openidrpx->EmbedUrl('start/openidverify'));
}

function openidverify()
{
    $this->load->library('openidrpx');
         
    if($token = $this->input->post('token'))
    {
        $data = $this->openidrpx->AuthInfo($token);
       
        if($id = OpenIDRpx::Identifier($data))
        {
             // Authorize user!
        }
    }
}

However…

The idea is great, having some other web service do the dirty authentication work, and have a web framework ready library to do the integration dirty work… Having not to dirty your hands, but get things done. This is too easy to be true. But… I think using RPXNow is a bad idea, at least for me.

By using RPXNow, I am entrusting a third party site to deal with my users. There’s an extra hop in the process and thus, I am really relying on their service for my login process… What if they gone out of business for a while…?

Also, when the users login, the OpenID provider will direct them to yoursitename.RPXNow.com instead of your root website. Although RPXNOw offers ability to customize this hopping point, or with an extra cost ($20/month) to have it named as your root website (www.yoursitename.com). This serves to confuse your naive user even more.

By having a monthly fee, you can whitelist/blocklist certain provider, but this feature is not available in the free ones.

So!

It’s up to you, if you are really confident that you can deal with OpenID on your own, I suggest you do. But if you have absolutely no idea of how to even start looking at the problem, RPXNow is a definitive choice, it saves you “10 years of pain of extensive coding” and have your application up and running in under 2 hours (or less!!!). And if you like RPXNow and pay to be a loyal customer, you’ll gain a lot of extra functionality.

, ,

SQL Injection Prevention

Oct 12th

Posted by dekarvn in PHP/MySQL

No comments

What is SQL Injection?

SQL Injection is evil. Period. SQL Injection is where people gain access to your system using method unknown to you. Injection usually occur when you require the user to fill in a form, often in a form of a username or a password => They put something evil in the box and crashes your system. That evil something is of a form of a SQL statement and actively running their code onto your database.

Types of SQL Injection

There are 2 types: ones that gains access to your system (as an admin) and ones that corrupt your database.

First type:

1
2
3
4
5
// user input that uses SQL Injection
$injection_string = "' OR 1'";

// our MySQL query builder, however, NOT a very safe one
$query_bad = "SELECT * FROM users WHERE username = '$injection_string'";

This will grant them unlimited power, since the OR 1 part always return true… evil….

Second Type:

1
2
3
4
// user input that uses SQL Injection
$injection_string = "'; DELETE FROM user WHERE 1 or username = '";
// our MySQL query builder, however, NOT a very safe one
$query_bad = "SELECT * FROM users WHERE username = '$injection_string'";

This will destroy your database…

SQL Injection Prevention

SQL Injection is a common thing. Easy to try, easy to implement. out of a thousand people going to your website, would only 1 of them try if your application is secure or not? That’s why, it’s a common thing to prevent such an obvious security hole. All you need to do is apply the mysql_real_escape_string function to the thing.

1
2
3
$injection_string = "'; DELETE FROM user WHERE 1 or username = '";

$query_ok = "SELECT * FROM users WHERE username = 'mysql_real_escape_string($injection_string)'";

and it will be ok, basically, they will replace all single quote and double quote character with the escaped string \’ and covered this security hole.

And due to the problem of PHP versions support, this function is not available in older versions of php… So this will do for all version :)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
function prep($value){
$magic_quotes_active = get_magic_quotes_gpc();
$new_enough_php = function_exists( "mysql_real_escape_string" ); // i.e. PHP >= v4.3.0
if( $new_enough_php ) { // PHP v4.3.0 or higher
// undo any magic quote effects so mysql_real_escape_string can do the work
if( $magic_quotes_active ) { $value = stripslashes( $value ); }
$value = mysql_real_escape_string( $value );
} else { // before PHP v4.3.0
// if magic quotes aren't already on then add slashes manually
if( !$magic_quotes_active ) { $value = addslashes( $value ); }
// if magic quotes are active, then the slashes already exist
}
return $value;
}