Am i right in suspecting that this generated PHP code is vulnerable?

Question

I'm not very educated on PHP or Web-security in general, but i strongly suspect that the code generated by some software the company I'm working for is using, is unsafe.

Here are some snippets of what i am concerned about:

First concern:

$sql = "SELECT password, fullname FROM ".$mysql_table." 
WHERE username = '".mysqli_real_escape_string($db,$_POST['username'])."'";

Is it bad to retrieve the password for the given username and then comparing them in the PHP, or is it better practice to use the password in the query itself, something like this:

... WHERE username = $username AND password = $hashed_password

Second concern:

$crypt_pass = md5($_POST['password']);
if ($crypt_pass == $data['password'])
{
    //LOGIN SUCCESS
}

Is using md5-hashing and not using salt, enough?

Third concern:

 setcookie('username', $_POST['username'], time() + 3600*24*30);
 setcookie('password', $_POST['password'], time() + 3600*24*30);

Is it a good idea to store plain/text usernames and passwords in a cookie?

Is any of this code unsafe and if so, what should be done instead?

Answer 1

There is actually one more issue you are missing:

Problem: This code is using "==" to check for equality on the hashes. PHP can merrily decide to coerce the first parts of these strings to numbers and then compare the "valid" parts of these numbers. For example, PHP will decide that "0e" starts a scientific notation number, whose value will always be zero. Thus, any two hashes starting with 0e and containing only numbers after will match each other.

"0e111111" == "0e123456"; # true, in PHP world.

There are lots more ways this can go wrong too. Always use "===" in PHP to compare hash.

Probably not a problem: Sending the password hash from the database to the web server is unlikely to ever be a problem, if an attacker can listen to that traffic, you are already in deep trouble. And the alternative is to include your hashed value in your query to the database server - either way, something is going over the link. If you need security here, you probably need a dedicated authentication system that has nothing to do with your database.

Major Problem: Yes, you must have per user, long, salts. Without long salts, your users passwords are stored in the rough equivalent to plain text. An attacker will simply look up the MD5 hashes in a rainbow table to see the corresponding passwords. For example, 482c811da5d5b4bc6d497ffa98491e38 looks secure, but you can look it up to find out it's "password123".

Major Problem: Storing the password in the cookie is horrible. It's going to be traveling over the network for every request, stored unencrypted on the users computer, and sent along with every request to anything on your domain (to images, to any evil files that have been upload). Also, those cookies are not set HttpOnly, which means any javascript on the page (from anyone) will be able to read the user's password.

Answer 2

First concern

Not particularly. As long as it is good protected against XSS and SQL injections and such. Personally however I prefer to compare them both against the database.

Second concern

MD5, as @gabe3886 said, should not be used for storing passwords. I personally use: http://www.openwall.com/phpass/. But there are loads of hash implementations around. Try searching the web.

Third concern

No it is not. See: https://stackoverflow.com/a/2100386/3455727

What should be used instead: Well, I have no idea why you even would store the username AND the password in a cookie, having them in the database should be sufficient.