1

I'm creating a login system for my online game and am using MySQL to manage users. In order to verify login data against the stored data in the database i'm using the following php script:

<?php
function mysqli_result($res, $row, $field=0) { 
    $res->data_seek($row); 
    $datarow = $res->fetch_array(); 
    return $datarow[$field]; 
}

$dbhost = 'host';
$dbuser = 'user';
$dbpass = 'pass';
$conn = mysqli_connect($dbhost, $dbuser, $dbpass, 'my_db');

if(! $conn )
{
  die('Could not connect: ' . mysql_error());
}
//First, get the login details from the URL
$username = $_GET["username"];
$password = $_GET["password"];

//Now fetch the password that is on record for that account
$sql = "SELECT DISTINCT acc_password FROM users WHERE acc_username = '$username'";

$result = mysqli_query($conn, $sql) or die(mysqli_error($conn));
$p_hash_store = mysqli_result($result, 0);

if (password_verify($password, $p_hash_store))
{
    echo "true";
}
else
{
    echo "false";
}
mysqli_close($conn);

Now here's the bit I'm worried about. In order to get the players username and password into that verify script I use a function in the game IDE that's the equivalent of a HTTP GET request, calling that verify script with the users raw username and password as parameters. It looks like this.

async_ini = http_get("http://www.website.com/script.php?username=" + obj_control_login.username + "&password=" + obj_control_login.password);

Since the verify script either echos true if the password matches the hash and false otherwise I can easily tell if the login details were correct. This system is all up and running fine.

My problem is that I don't like the fact that I'm sending the player's raw username and password off in a HTTP GET request hence the guts of my question: Are the parameters I pass in the php URL secure or are they open to prying eyes? If they are vulnerable is there anything I can do to fix that?

I'm a total novice at MySQL and php, this is literally the first thing I've done in them, so if the whole thing is laughable insecure please let me know; this is the only way I could think of integrating my game making software with MySQL and password hashing.

Greeny
  • 27
  • 4
  • 1
    why u no use bind param? password on `$_GET`? :) – user1978142 Jun 09 '14 at 00:40
  • Usually with passwords you want to use `POST` instead of `GET` – Class Jun 09 '14 at 00:46
  • Your proper password hashing is commendable. But the parameters are indeed sent plainly over the wire. GET variables show up in proxy logs, often (maybe not in your ajax-ish case) end up in referer headers. So at least utilize `https://` here. You're still open to database hijacking unless you properly escape your variables for SQL context. (Yes, bound parameters!) – mario Jun 09 '14 at 00:46
  • Just a cautious warning about `POST` requests. There are less trails, but they're not by any means "more secure" than GET parameters. (Btw, even though the crux of your question is a duplicate; that's still a very well presented first post +1) – mario Jun 09 '14 at 00:50
  • Thanks for the help guys. :) I'm going to change from Get to Post and use bound parameters. It was also suggested I change the return value of the verify script from "true" to a unique token to stop any possibility of someone rerouting the request to a page that simply always returns "true". Thanks again! – Greeny Jun 09 '14 at 14:22

0 Answers0