PHP & MYSQL – SECURITY – 3
Lorenzo Romano © 2021
As we continue with this third chapter, we will open a parenthesis on web application security in PHP MySQL.
Many user programs have the ability to show the password immediately after typing it masked with asterisks or other.
Of course, it is a great convenience especially for those who argue with computer keyboards but offers the side
to outsiders who don’t need much to memorize the entire password or only part of it and then
rebuild it calmly.
Let’s start from this hypothesis to create a PHP-MySQL program that is not too complex but able to maintain the possibility of reviewing the password in clear text and simultaneous verification
of authorized accesses … in one fell swoop!
As I wrote in the previous installments, PHP allows you to create “reentrant” programs, that is, which use a single structure to select multiple services. This feature allows you to have the input of the username and password, make an existence and validation check (you can easily have multiple levels of access to the various procedures), access applications, or reject the user for lack of requirements but – hear, hear – it allows with a command to see – upon explicit request – the password in clear text.
After all, if the password entered is correct, there is no reason to see it in clear text!
To start with, build a simple security mask with user input and password,
enter two virtual keys, one of which is for the access request and the other for a return to
home page. Obviously on the homepage there must be the button to call up the mask
N. B. Professional software written properly must allow data to be updated
user without having to write them directly into programs. Programs are “sacred” and
theoretically, if there is no reason for preventive, corrective or evolutionary maintenance they should
remain untouched for decades!
In figure 1 there is an example of a safety mask. By entering the data and pressing Enter, if the
credentials are correct you will have direct access to the management menu in figure 2 In the case of
one of the two credentials is incorrect, then you do not get access to the menu but one
reporting of incorrect data.
It is interesting to note that for the user these sequences are completely transparent and facilitated by
help messages whose number and content are entirely at the discretion of the programmer.
If the user is also a product manager and therefore an administrator, he is still a user and therefore must be consistent with the safety regulations. Through the management menu he only needs to know the functions of the product even without having any knowledge of computer science. In fact, it is necessary to divide the professionals concerned into two: those who know computer science and those who know the needs of their office managed by computers. The programmer in the realization of the user software must be able to combine all the technological and management needs.
As I wrote before, if the entered credentials are somehow wrong, the basic menu will remain hidden and the following error message will appear in its place:
The message provides more or less detailed error indications and keeps both the password and the access class (or type) for the user hidden. Note the “See PWD” button in figure 3, by acting on it you will get the clear view of the password just typed. This command must be activated without prying eyes!
I will not go into detailing the software statements I wrote, because many programmers would prefer Object Oriented structures, or in CSS, etc. However, by reading the flow you understand very well what will be the routines and subroutines to be implemented in one or more of the many programming syntaxes available with the PHP language.
In the next chapter I will analyze one of the ways to guarantee the security of the pages recalled from the menu in figure 2. In fact, it is necessary to prevent the individual pages from being activated with commands external to the menu and that they remain linked to the current user session and not others. .