spooks Posted January 18, 2010 Share Posted January 18, 2010 (edited) Sam's Anti-hacker Account Page Mods Secure your account pages against code/SQL injection attempts, yet allow strong passwords. There are many instances now of websites being hacked (or cracked to use the correct term) and it is necessary to make your site as secure as possible, one important measure in this is to sanitize all visitor inputs to ensure no code injection etc. attempt can work. However this creates an issue, if your user creates a strong password by using characters that are likely to be 'cleaned' either their password will not work, or the account gets a password that is different to what was input (as it was 'sanitized'). This is especially an issue if adding input sanitizing to an old site where visitors have added passwords that are now 'illegal'. This contribution resolves this issue by safely allowing any character to be used within the password, it does this by processing all password inputs before anything else, passwords are translated to hex values, the inputs validated then deleted as no longer required (only the hex strings are processed further). An option is provided to allow string to be reverse translated at the point of password checking to ensure existing passwords will work. This means the passwords now stored in the dBase are salted hashes of the hex string. Once the initial processing is done, all inputs are sanitized. A new option is added to require the user to input a 'strong' password. Other account fields are also subject to additional checks or the input converted: The date of birth field is now a drop down which automatically formats according to the store country, this ensures the format is correct, slashes (/) can still be sanitized and the visitor cannot transpose days & months. The telephone field is checked its numeric (if entered) and contains only limited allowed chars. The post code field is checked for the correct format, but only for UK & USA sites. If strong password is enabled, password forgotten will generate strong passwords. The State/Province/County: field is pre-filled with the zones for the store country, rather than a blank field that gets populated on submit! The Country drop down is pre-selected to the store country. All input fields are sanitized. Contribution will be found at: http://addons.oscommerce.com/info/7202 Keep your site & user data safe. Edited January 18, 2010 by spooks sky_diver 1 Quote Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.