Follow us on Twitter!
You cannot teach a man anything; you can only help him find it within himself. - Galileo
Thursday, April 24, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 21
Guests Online: 20
Members Online: 1

Registered Members: 82904
Newest Member: jamessmith123
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Page 1 of 2 1 2 >
Author

Base64 in Database


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 03-06-09 16:39
Hi everyone,

I'm making a website where users can login/register. But I want to protect myself against SQL Injections/XSS. So I have an idea, but I would like to hear if it is safe or if there are better ways :)
So this is what I am going to do:
I have this piece of PHP code:
Code

$sql = "SELECT * FROM users WHERE user = '" . base64_encode($input) . "'";





Now, I think nothing can go wrong, when I decode the input to base64 and all the data in the DB is (of course) encrypted in base64 as well.

I've chosen for base64, because there is the base64_encode en base64_decode function (not with encryptions like md5).

I have another question (about PHP sessions): it it safe when I save data in the $_SESSION array? I think it is, but not sure about it :S


Hope someone can give me answers :D:D Greetz MH-IA


Author

RE: Base64 in Database


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 03-06-09 16:51
If you're going to use the data in the database on pages you are going to have to decode it, at which point it would be vulnerable to, for instance, XSS.


Author

RE: Base64 in Database

pimpim
Member



Posts: 45
Location: Reading your /etc/shadow
Joined: 26.10.08
Rank:
Newbie
Posted on 03-06-09 16:55
It would protect from SQL injection, but not XSS. There are faster and more secure ways to do it.
Just use strip_tags() and mysql_real_escape_string() on all user input. Wink
Those functions are ment to protect from the vulnerabilities you mentioned.
Nice idea though...

Edit: Sessions are stored on the server, so as long as the attacker doesn't have access to the server, it's safe.


www.hellboundhackers.org/sig/c/34966/blow me.png

Edited by pimpim on 03-06-09 16:59
sa.backman@hotmail.com
Author

RE: Base64 in Database


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 03-06-09 18:22
Thanks for the replies!

So this bit of code:
Code

$sql = "SELECT * FROM users WHERE user = '" . mysql_real_escape_string(strip_tags($input)) . "'";





Would protect me against Sql Injection AND XSS? I knew the strip_tags function but I didn't use it because if a user types e.g. ' or '1=1-- it would have any effect... But I didn't knew the mysql_real_escape_string function, thanks for that!


Author

RE: Base64 in Database


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 03-06-09 20:55
COM wrote:
454447415244 wrote:
You really don't find a security difference between the two implementation?!

I'm note sure what you meant there so... yes?
454447415244 wrote:
Have you ever seen a good site that stores passwords as base_64?!

Did I say it was a good, secure thing and he should use that for password encryption/hasing? My memory must be bad, I could've sworn I didn't.
What I was saying was merely that what you were talking about was not what the OP meant, nor what he was requesting ideas and assistance with. It is somewhat relevant and a good topic to add on to it, merely stating that you shouldn't answer questions wrongly like it's what he's after. For all you know the OP might actually be well aware of what you're saying, maybe he's thinking of md5 hashing the passwords before base64 encoding them.


I do know well what the OP was talking about. And I felt the need to add this since he wrote:

I've chosen for base64, because there is the base64_encode en base64_decode function (not with encryptions like md5).

So, no. He's not thinking about md5 hashing the passwords before base64 encoding them.

It is not always necessary to stick to the main question. We must add/clarify some ideas when we feel the need of.


Author

RE: Base64 in Database


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 03-06-09 21:05
454447415244 wrote:

I've chosen for base64, because there is the base64_encode en base64_decode function (not with encryptions like md5).

So, no. He's not thinking about md5 hashing the passwords before base64 encoding them.

He never said that he wouldn't use md5 for passwords, he needed something with an ability to decrypt, so he didn't want to use md5. You previously asked why. Well, let's say he wants to safely store messages or content in a database, like these messages we write here, without worrying about sql injections. Would it be a good idea to not decode base64 before sending it off as html? No. Would it be good to hash messages like these posts or other content as md5? Good luck decoding that and posting it as readable html.
That was his point, it was a fairly decent idea, still needs xss prevention for instance as already mentioned. but the ability to decode would be important in his idea, so obviously he'd choose that.


Author

RE: Base64 in Database


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-06-09 05:15
Don't use strip_tags, it's still vulnerable to XSS injections. Read up on htmlentities().

As everyone else said, base64 is not secure. At all. It wouldn't be hard for an attacker to recognize that you are using base64 and then it could easily be decoded.

mysql_real_escape_string is good, but if you want to be more secure use regex to validate user input (preg_match() and preg_replace()).


MH-IA wrote:
I have another question (about PHP sessions): it it safe when I save data in the $_SESSION array? I think it is, but not sure about it


If you run any of the values from your sessions to an sql query, then it's possible to make an sql injection, so just be sure to sanitize the values. Other than that though you should be good. Really the worst thing i've seen with sessions is that I got the page to display the site's path in an error message by adding random values to the PHPSESSID cookie. Not too bad, but if you have sql vulns then it's potentially dangerous.


Author

RE: Base64 in Database


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-06-09 09:00
COM wrote:
454447415244 wrote:

I've chosen for base64, because there is the base64_encode en base64_decode function (not with encryptions like md5).

So, no. He's not thinking about md5 hashing the passwords before base64 encoding them.

He never said that he wouldn't use md5 for passwords, he needed something with an ability to decrypt, so he didn't want to use md5. You previously asked why. Well, let's say he wants to safely store messages or content in a database, like these messages we write here, without worrying about sql injections. Would it be a good idea to not decode base64 before sending it off as html? No. Would it be good to hash messages like these posts or other content as md5? Good luck decoding that and posting it as readable html.
That was his point, it was a fairly decent idea, still needs xss prevention for instance as already mentioned. but the ability to decode would be important in his idea, so obviously he'd choose that.


Well, you are posting just for the sake of arguing.

If you read well, you will see that this is what he wrote:

I'm making a website where users can login/register.


So it's about logging-in and not about storing messages.
</EndOf>


Author

RE: Base64 in Database


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-06-09 09:52
454447415244 wrote:
Well, you are posting just for the sake of arguing.

I'm saying the same about you.

454447415244 wrote:
If you read well, you will see that this is what he wrote:

I'm making a website where users can login/register.


So it's about logging-in and not about storing messages.

If you read well you'll notice that he doesn't mention the secure storage of the passwords anywhere and that his code doesn't even include passwords, only usernames. Usernames are information usually displayed, if there are users there will probably be information stored for them that will be displayed. You got your question answered why he wanted it, you answered the wrong question, he got some extra information, now be happy and shut it.

</EndOf>



Author

RE: Base64 in Database


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-06-09 10:18
When I store data (base64 encoded), how can someone find out all data in the db is that way encrypted?? If someone don't know, how can it be unsafe? I'm busy with searching good methods to protect my site against XSS. Why would strip_tags not work? I mean, it removes all the html tags, right? html_enities seems like a good method, cause it replaces chars as < and > etc. I am now at school, but I will try the methods you guys mentioned this afternoon.


Author

RE: Base64 in Database


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-06-09 10:24
It's unsafe because it's easy to decrypt if you know what it is and most people can make an educated guess about what encryption is in use by seeing it, especially if it's a widely known one.


Author

RE: Base64 in Database


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-06-09 10:30
Okay, as I said, I will try out some methods later today and I have a problem with images. I have written a php script that paints an image with 5 random characters (for image validation). Now, I would like to save the 5 chars in a cookie, but of course thats very unsafe. So I have to find a method to encrypt it safely. I don't like it when bots automatically register on my website, so that's why I want it encrypted. I thought about md5 (the script encrypts the input to md5 and checks if it is the same as in the cookie), but not sure if it is that secure...


Author

RE: Base64 in Database


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-06-09 10:48
MH-IA wrote:
Okay, as I said, I will try out some methods later today and I have a problem with images. I have written a php script that paints an image with 5 random characters (for image validation). Now, I would like to save the 5 chars in a cookie, but of course thats very unsafe. So I have to find a method to encrypt it safely. I don't like it when bots automatically register on my website, so that's why I want it encrypted. I thought about md5 (the script encrypts the input to md5 and checks if it is the same as in the cookie), but not sure if it is that secure...


If the chars are in the cookie, that means that the bot can get the information. It would be safer if you stored them in a session variable. Then all you have to store in the cookie is the session id, which is done automatically.


Author

RE: Base64 in Database


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-06-09 11:15
COM wrote:
454447415244 wrote:
Well, you are posting just for the sake of arguing.

I'm saying the same about you.

454447415244 wrote:
If you read well, you will see that this is what he wrote:

I'm making a website where users can login/register.


So it's about logging-in and not about storing messages.

If you read well you'll notice that he doesn't mention the secure storage of the passwords anywhere and that his code doesn't even include passwords, only usernames. Usernames are information usually displayed, if there are users there will probably be information stored for them that will be displayed. You got your question answered why he wanted it, you answered the wrong question, he got some extra information, now be happy and shut it.

</EndOf>


Simply. You shut it. Not me!
Quit trying to be the thread moderator.
You're trying to talk instead of the OP thinking you're defending him/his ideas.
The OP post after yours has proved me right.




Author

RE: Base64 in Database


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-06-09 14:36
454447415244 wrote:
Simply. You shut it. Not me!
Quit trying to be the thread moderator.
You're trying to talk instead of the OP thinking you're defending him/his ideas.
The OP post after yours has proved me right.


Oh noooo, tragedy strikes as the possibility comes up that you just don't respond to something that doesn't need responding to anyhow.
You asked why he wanted it, I answered, you got your answer, I've even said that even though you answered something wrong the extra information is somewhat relevant and might be of interest. But let's just continue to ignore any point where we might agree as that'd make it difficult for you to excuse you being upset and throwing a tantrum over what I write.
Yes, you got me, my biggest dream is to be this thread's moderator. I've been wanting that since I was a little child and I'm living out all my fantasies now that the opportunity came along. I don't know what I will do with my life now that you're on to me.
The OP's post after mine hasn't proven you right in any way. Holy balls! The OP doesn't really know how these things work and doesn't know the difference between a hash and an encryption. It's only natural that he'd ask about it if it's been brought up. It's different forms of security that's been mentioned now, the OP probably doesn't even distinguish between those when someone says that something's less secure than something else.

Now go ahead, answer it so you won't have to commit suicide over the shame of not posting a response. And let's just leave it at that.


Author

RE: Base64 in Database

spyware
Member



Posts: 4192
Location:
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 04-06-09 15:26
http://php-ids.org/



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
[center]�Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?� - Ebert[/ce
Author

RE: Base64 in Database


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-06-09 16:11
I have now this function :

Code
function check($input)
{
   $chars = array('`', '~', '!', '#', '$', '%', '^', '(', ')', '=', '+', '[', ']', '\\', ';', '\'', ',', '/', '{', '}', '|', ':', '"', '<', '>', '?', ' ');
   $repl = array('');
   $input = str_replace($chars, $repl, $input);
   return $input;
}




So inputs like "<script>alert(document.cookie)</script>" and "' or '1=1--" wont work. Maybe I can send the data SHA-encrypted? Don't know if it is really more secure to store data not-encrypted?

@spyware: Thx for the link, I will take a look at it :D


Author

RE: Base64 in Database


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-06-09 16:24
MH-IA wrote:
Don't know if it is really more secure to store data not-encrypted?

It's not necessarily a question of safety for the site, but to protect the integrity/anonymity of the users. Let's say that your site is breached in a way that they can acquire the contents of the user/pass table. In that scenario if they are hashed with something really secure then odds are that the person can't get their passwords through it even though he has a list of the hashes.
If they're plaintext on the other hand, then he just has to look at it to know what it is they're using.


Author

RE: Base64 in Database


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-06-09 16:35
When I store the data SHA encrypted and I have to echo the username of someone, how can I do that? There is no function to decrypt sha.. I can store the data normal and sha encrypted, but I don't think that has any effect


Author

RE: Base64 in Database

AldarHawk
Member



Posts: 1690
Location: Canada
Joined: 26.01.06
Rank:
Hacker Level 1
Posted on 04-06-09 16:41
MH-IA wrote:
When I store the data SHA encrypted and I have to echo the username of someone, how can I do that? There is no function to decrypt sha.. I can store the data normal and sha encrypted, but I don't think that has any effect


SHA is a hashing algorithm. it is not reversible. You need to use an encryption method (base64 for example) to be able to reverse it.

Why do you need to encrypt the username anyways?


Just ask Yahoo!Taboo! http://www.erikwestlake.com
Page 1 of 2 1 2 >