Kushika
Mar 12 2006, 11:13 AM
| | I've read a few articles, and looked up the code of certain files and some of them seem to work differently. I'm trying to create a login script, which would require PHP and mySQL to run, however, I'm not quite sure how to approach it since I'm only just learning PHP.
I'd like to know, what is the most secure and effective login? I've heard you can add a salt to encrypted passwords, etc, and well as using sessions (sid). It's just like to know what methods are best for creating a secure login script.
Thank yo ufor readin this.
|
Comment/Reply (w/o sign-up)
mastercomputers
Mar 12 2006, 12:29 PM
So what are you trying to do? Is it a membership login, securing pages, etc? What usually happens is people build web applications in which they believe is secure, someone comes along and breaks it and then they fix those problems. There's really no 100% safe way, it's always a trial and error experience. Large companies don't rely on just those technologies and sometimes have 3rd party software involved as well. If you have code snippets that you think would be good, you should post those, that way I could help with sifting through what I would consider safe. The basics is you've got a Username field a Password field and a login button. All data entered by the user must be checked against. Never match user with password, just grab the user's row and then compare the password from the results, if the user doesn't exist you'd know because the database couldn't return the results, if the password doesn't match from the results returned from the database, also it will be incorrect. Make sure you use either crypt() or md5() (heard md5 has collission problems, which doesn't mean it's that insecure just means multiple passwords could equal the same hash) to encrypt the password, if possible, you should have it connect over a Secure Connection. Always have a counter to count the times someone attempts to connect to that login multiple times, after 3 or more, present them with another login form which requires the visual representation of letters/numbers to be inserted, as well as a means to reset their password if they have forgotten it. Sessions should be given to every user who connects to your site, even if they have not signed in, this is to help you monitor them. Do not give back too much information that went wrong, e.g. if the username was incorrect, say either the username or password were incorrect (basically make it out that both were incorrect). Using a salt for password is basically for random generating a password, it's probably best to use this and send this type of password to the user's email before allowing them to create and change there password, this way, you also verify their email address and can also send them changes/updates etc. Also try to make sure they use strong passwords and not weak ones. There's tonnes more that would need to be talked about, even the security of your database and files etc, basically trying to make sure there's no weak links, since you might have the most secure login page in the world, yet your database security let you down and exposed everything, etc. Cheers, MC
Comment/Reply (w/o sign-up)
CrazyPensil
Mar 21 2006, 09:24 AM
I won't repeat everything once more) just see my answer a bit below your topic.
Comment/Reply (w/o sign-up)
sonoftheclayr
Jul 1 2006, 06:14 AM
I made a login script for my website that has a sha1 encrypted password stored in the databse and cross-checks that with the password the user supplied. It stores the users name, id, clearance and username in cookies for ease of use around my website instead of connecting to the database every time and doesn't store information such as password and email in cookies, but I am just wondering how secure that is. I would have used sessions but they don't like me. It isn't that much finished but upon registration an email is sent to their email address requiring them to confirm their account before login and the confirmation page requires username, password and email address before they are allowed to log in. Half of my features aren't finished but I know how I am going to do them such as the following: - Resend confirmation email - Forgot my password - Change settings and profile - Automatically delete any unconfirmed users that have been registered for 72 hours (Ample to time to confirm account or to send out confirmation email again) If anybody would like a copy of the completed script or would like to help in any way PM me.
Comment/Reply (w/o sign-up)
cj2005
Jul 1 2006, 11:45 AM
Use the mcrypt function (Not built into PHP as standard) MCrypt FTP Siteor mhash MHash Download SiteYou can encrypt and decrypt strings using both extensions to PHP. If you cant install either, you can encrypt strings using the following code CODE
<?php
$str="Hello, I am going to be encypted";
$enc_str = md5($str);
echo $str . "<br />" . $enc_str;
?>
Comment/Reply (w/o sign-up)
Similar Topics
Keywords : create, secure, loging, php, mysql
- Letting Users Add Mysql Data With Php
(1)
Mysql Question(inserting Number From A Textfield)
(3) Hey! I am trying to do a "Admin give EXP script". But I can't make it work. The value is not
updating, but the update query is correct.( I think:P) I think the fault is here: CODE
$expcomp=$givexpp += $givexp; The $givexp is the variable for the amount of Xp the admin wants
to give. the $givexpp is the variable for the user info (in this case, the experince he already
have). The datatype for the XP in the database is INT. So I have no idea if it can take data from a
normal textfield. If you need to see all the code, here you go: CODE session_start();....
Making Something In Mysql Happen Only Once
(10) Hey! I know I am asking alot. But much is happening theese days. Sorry if I disturb with my
questions. The thing I am trying to do is: Ex. If the user becomes level 2, he should get 5 skill
points. I can't do this: CODE if($userlevel=5){ mysql_query("UPDATE user SET skillpoints
=$points+5");} because then it would update everytime the code was loaded. I hope you understand
what I am trying to do. If not, tell me /smile.gif" style="vertical-align:middle" emoid=":)"
border="0" alt="smile.gif" /> and i'll try to explain better. Thanks //Feelay....
Making A Link = Mysql_query
(8) Hey! I will try to make this as clear as possible. how can I make the following. I have a list,
of all members on my site. If I press on a members name(link), I will come to his profile. To come
to his profile, I need to get out some vaule from the database, but to get out some value from the
database, I must tell the code, how it should know who the user is (hard to understand?). To do
that, I must add a mysql_query in the code ( I think), like "SELECT user FROM dbname WHERE
user=link".. This is just how I think it works. I know it is kinda wrong.. but I don't k....
Warning: Mysql_result(): Supplied Argument Is Not A Valid Mysql Result Resource In ...
This Is for My attack Script. (4) Hey. I am making a "Version 2.0" For my attack script, but I can't make it work. This is the
error I am gettin: Warning: mysql_result(): supplied argument is not a valid MySQL result resource
in And here is the code: CODE $dbQueryHealth = mysql_query("SELECT temphealth FROM
characters WHERE user =". $_POST .""); $currentHealth = mysql_result($dbQueryHealth, 0);
$dbQueryExp = mysql_query("SELECT exp FROM characters WHERE user = ".$_POST ."");
$currentExp = mysql_result($dbQueryExp, 0); I have checked the PHP Manual,....
Warning: Mysql_num_rows()
What is the error :S (1) Hey! I've made a register script.. Some time ago it worked. And I ain't sure if I changed
something since then.. The error I am getting is this: Warning: mysql_num_rows(): supplied argument
is not a valid MySQL result resource in /home/feelay/public_html/regcheck.php on line 31 Here is
the code on theese lines: CODE $sqlCheckForDuplicate = "SELECT username FROM user WHERE username
= '". $username ."'"; if( mysql_num_rows( mysql_query(
$sqlCheckForDuplicate ) ) == 0 ) { $sqlRegUser = "INSERT INTO ....
Anyone Know Of A Really Good Mysql Class?
Looking for something easy but full featured. (4) Generally speaking, when I write a script, it either utilizes the MySQL class of the parent system
(like Mambo or Joomla) or I use basic functions and snippets to perform the database queries I need.
I really like the Joomla database class as it allows you to simply pass a regular query string to
it and the data is returned without the need for extra work! The Invision Power Board (IPB)
database class which is what is used for this forum is kind of a pain to use since it wants the
query string in a non-MySQL standard format. Nonetheless, it does work and I could use i....
Extracting Mysql Maths Using Php
(2) Right, this is a really simple thing and it has me completely stumped. I'm working on this mini
maths function and for some reason i cannot seem to do some simple math process using mysql. This is
the code: (php btw), now assume that $date is actually a defined mysql date variable already
successfully extracted. $sql = mysql_query("SELECT TO_DAYS('CURDATE()') -
TO_DAYS('$date')"); while ($row = mysql_fetch_array($sql)){ $diff = $row ; } Can
anyone spot what im doing wrong becuase im just thrown by it.....
Too Many Connections?
mysql_connect() (4) I uploaded my PHP game yesterday, and most of my friends tried it out. After a while, I tried to
play as well but it said that mysql_connect() had too many connections already. Can anyone tell me
how to increase the amount of connections or maybe the total amount of connections allowed?....
Php/mysql And Manual Page Caching?
(4) I am hopefully about to attempt this on the news page of my new site. Every bit counts as far as
I'm concerned and not having "news" portion of my news page re-php and re-mysql everything where
there is no chance seems like a waste. I'm looking for good articles, information or tips on
the process (if I fail to find any good information as I'm looking through now). The way I see
it right now, I have most of my page split up in header, content (some static html in here before
dynamic contend and then a little more static html to close it off) and then a foo....
Sql Injection Prevention (passing Numerical Data Across Pages).
PHP/mySQL (9) Even if your building something as simple as a basic news page for your website, if your passing
along url variable strings like (mysite/index.php?page=1), you may be vulnerable to SQL injection
attacks. For cases like these (passing numerical data in url strings), I have a handy dandy little
function to thwart these attempts silly: CODE // For checking if value is a number, if not
return 1. function isNum($val) { if (!is_numeric($val)) { $val = 1; } return ($val); } I
have this function, within my functions.php file, which I use as an include in files w....
Php Mysql Errors
Fetching arrays (2) I am deciding to make a Multiplayer Online RPG type game. I will be building it off of PHP and MySQL
to ensure makimum compatibility with Astahost's services (and it makes it easier /wink.gif"
style="vertical-align:middle" emoid=";)" border="0" alt="wink.gif" />). I have a database setup with
1 table to hold user data and I have the login system setup properly as well as the registration
form (obviously). All games of course have something similar to gold, units and points. Because
this is a turn-based game, I have turns. Now for the problem: I am trying to echo ....
How To Show Serial Nums In PHP Table For Contents Of MySQL DB
Serial Numbering for output contents of mysql in php table (4) Hello there, I'm looking for some education. How would you show the serial numbering for
outputted contents of mysql database. I used a table created in PHP to output content (i.e. an
alumni database) and I created a column for S/N, so that at a glance anyone can tell how many
members have registered. Thanks house. Neyoo....
PHP & MySQL: Displaying Content From A Given ID
(6) Okay so I got this sample link (not working): http://www.acosta.com/joo.asp?id=654 Now suppose
I have a PHP file that would use MySql in order to get all values in the row where id 654 is found.
Here's a sample DB: Table: demnyc ______________________________________ | id |
Name | Age | Email | *----------------------------------------------------* | 1
| Albert | 17 | no email |
*----------------------------------------------------* | 2 | YaPow | 888 |
no email | |__________....
Re-order MySQL Table
(11) Hello you all, I've got a question /smile.gif" style="vertical-align:middle" emoid=":)"
border="0" alt="smile.gif" /> Let's say I have a database width the table "news". It contains
about 10 items which is ordered by the field "id". Now from my admin page i do this: CODE
mysql_query("DELETE FROM news WHERE id=4"); ?> And a few days later i do: CODE
mysql_query("DELETE FROM news WHERE id=7"); ?> Now there are two gaps in the table => 1, 2, 3,
5, 6, 8, 9, 10 (no 4 and 7). It want to reallocate the whole table to fill the gaps like this => 1,
2,....
Need MySQL Alternative To The Syntax "or die()"
(9) Hello again /smile.gif" style="vertical-align:middle" emoid=":)" border="0" alt="smile.gif" />
I'm facing a problem with PHP and MySQL... I want, when a MySQL error occurs, to let the script
continue. Here's the script: CODE $query = "SELECT * FROM menus ORDER BY id ASC";
$menus_result = mysql_query($query) or die("Error!"); while( $menu=mysql_fetch_array($menus_result)
) { echo $menu ." "; } Now if the table "menus" doesn't exist, this would echo "Error!"
where it's placed and terminate the whole script. But I want it to echo "Error!" and....
File Self Secure?
is it avaible (6) I just learn php. We store the pass word of Mysql in a file right. So is there any way to may a pass
protect that file . i mean they could hack and find out the place of the file (ex like in forum) and
drop all sercure data /huh.gif" style="vertical-align:middle" emoid=":huh:" border="0"
alt="huh.gif" />....
Need Help With Php/mysql And Web Servers Such As Asta's.
(4) Within my site I have built my own basic forum using PHP/Mysql, I always test locally now both using
EasyPHP and WAMP5 which both give me no problems what so ever. But when I tryed to run the exact
same code on Asta's hosting services (and possible another I used to use) when creating a new
thread or adding a reply to an existing one it *sometimes* adds an additional thread/reply as a
Guest (someone not signed in) with an empty message. This would lead me to believe that somehow the
page is being refreshed and the variables sent to the database update php file are ....
Important: Basics Of Using PHP And MySQL
(10) I generally notice confusion with new users to PHP and or MySQL and first of all I believe that
unlike HTML which is automatically associated with a IE browser in a Microsoft system. HTML is
automatically rendered with whatever browser is the default browser, be it Internet Expolrer Firefox
Netscape or any other browser that has been set. PHP is a different matter to view the output of a
PHP file it must be run on a webserver, and if you do not have one set up on your local PC it simply
will not work. (Note serverside langauge requies a server) HTML is client side and ....
[php] Index.php?section=xx&pag=yy
No MySQL or any other database (6) Hi everybody. This is my 3rd script, but this dont use MySQL It does this: divide the site in
SECTIONS and PAGES. Benefits: -You have to create just the text of your pages, no create ech page
with the entire layout again. -If its just the text that is included, you just have to have one page
with the layout, witch is the INDEX.PHP. -If you chanche the layout in the index.php, you DONT HAVE
TO change in the other pages. Here is the code: CODE
//-----------------------------------------// //ACAF Paginação //
//by Alexandre Cisneiros ....
[PHP + MySQL] Encrypting Data
To protect the password of your DB, for example. (13) Hi! This is my 2nd code of PHP + MySQL. This code is VERY simple: it encript the data in the MySQL
DB. Here we go! ------------------------------------------------------------------------ CODE
$password = "abc"; $new_password = md5($password); echo $new_password; ?> The password "abc"
was codfied using md5() This will be: 900150983cd24fb0d6963f7d28e17f72 CODE $normal_pass =
"abc"; $encripted_pass = "900150983cd24fb0d6963f7d28e17f72"; if(md5($normal_pass) ==
$encripted_pass) echo "Login Sucessful!"; else echo "Incorrect password."; ?> This c....
[PHP + MySQL] Separating The Results By Pages
Simple code (0) Hi! I will post here a code for separating the results of MySQL in pages. You ask: Why separete? I
answer: Imagin that you have 1523 results to display. I dont have to say anything. =P Here is it.
------------------------------------------------------------------- CODE $conect =
mysql_connect("host","user","password"); $select_db = mysql_select_db("database"); $query = "SELECT
* FROM mytable"; $results = "15"; //Number of results displayed per page. if (!$page) {
$counter = "1"; } else { $pcounter = $page; } $start = $counter - 1; $start = $counter *
$resu....
Need Some Help Using PHP & MySQL
(4) I wonder if its possible or if anyone know how to : I'm making a website for my soccer team
and every week there are new news, but in the index file i only show some part of the text and the
rest of the news is in Stored in Database, of course that all news are inside mysql database, i only
set a script to get from the Database the text and title and so. My doubt is if there is some how to
attach a link to that news and when i run the link, this show me another page but with FULL news
text ? i Read something like, i've to create a cicle CODE ....
Printing Out A Table
PHP and MySQL (6) I've been designing an online registration page for my univ. The adminstrative section is going
to take care of the registration and they've asked me if I could incorporate a PRINT link on the
page which displays the details of the students so that they can take a printout directly of just
the table and not the extra links and decorations on the page without having to copy the whole thing
into excel or something. Does anyone have any ideas of how to do this? To make myself more clear,
here's a screenshot of the admin page: I want a printout of just the....
Need For PHP/MySQL Creator
(1) need for PHP/MYSQL creator I need a PHP/MYSQL application creator that have php function and
create php codes automatically, for example:Macromedia Dreamweaver MX 2004 have this ability to
create php applications already i downloaded PHP designer but it didn`t applications ....
Need Help With A PHP - MySQL Registration Script
Wont INSERT into the database (13) hey well can some one helpme make this code work it won't INSERT INTO THE DATABSE CODE #
register1.php # common include file to MySQL include("DB.PHP"); $Username=$_POST ; $Password=$_POST
; $Name=$_POST ; $Last=$_POST ; $Sex=$_POST ; $Month=$_POST ; $Day=$_POST ; $Year=$_POST ;
$Adresse=$_POST ; $City=$_POST ; $State=$_POST ; $Zipcode=$_POST ; $Country=$_POST ; $Phone=$_POST ;
$Email=$_POST ; $Father_Name=$_POST ; $Mother_Name=$_POST ; $Parent_Phone=$_POST ;
$Parent_Email=$_POST ; $Level=$_POST ; $Academic=$_POST ; $Image_Link=$_POST ; $sql9="INSERT INTO
U....
Php/mysql Data Display
(3) Okay .. got a bit of a question here, so I'll do some explaining. I was asked to do a site for
an online roleplaying game, specifically, a "blackbook" site. I accepted and began my quest for
knowledge of PHP. I've gotten quite "far" to the point that I can now take a user inputted
search value and query the database with that value, and then display the values in a table. My
MySQL table setup is as below: CODE |Name|Reports|Type1|Type2|Quote|Confirmed| When queried
it displays the following: CODE Violator Name: # Reports: Offense(s): Quote: ....
Extremely Secure Authentication System
(9) Today, I was thinking of experementing with Authentication tricks in PHP. I just came up with this
thing. Firstly, Validating the username and password in the database. Once that is done, In order
to track the user (the main place where most hackers get successful) We can set 2 cookies. 1>
Member ID 2> MD5( REMOTE_IP and USER-AGENT and USERNAME and SALT ) Any hacker who tries to obtain
session ID or even tries to setup a fake cookie with ID, will have to take additional pain to
determine the IP address of the target. Not only that, he will have to even fake User-age....
Displaying Data From Mysql?
(2) how can i display data from mysql with php, just that on one page i want to display only the first
10 things and the next page the next 20 ...etc.. how can i do that?....
MySQL & PHP coding
(9) So it seems as though the php docs make it very clear that mysql and mysqli functions will all
connect to the database as a latin1 client. Although i have my server set up with utf8 databases,
tables and fields and the default client connection is utf8, php still connects as latin1. My
xhtml forms and pages are all utf-8, so when i post utf8 data and insert it into the database the
connection assumes that incoming data is latin1 and the data that gets placed in the database is
invalid. phpMyAdmin seems to be able to view, add, edit, and retrieve utf8 strings in the d....
Looking for create, secure, loging, php, mysql
|
See Also,
*SIMILAR VIDEOS*
Searching Video's for create, secure, loging, php, mysql
|
advertisement
|
|
