Hello,

I just have a quick question about secure logins.

I am wanting to create a website where it has a very secure login area. I have a php script that links to a database for usernames and passwords. But is that really that secure? What could I do to make my login area really secure?

Thanks

As long as there are no vulnerabilities in the backend database, and assuming that your script doesn't open you up to any vulnerabilities in the way that it interfaces with the database, you should be good until there's a php vulnerability or one in your database server.

If you wanted to step it up another level you could look at kerberos.

Just make sure you don't have any SQL injections possible. Just addslashes, stripslashes, htmlentities to0 all of your variables that are used to select from the db.

That is just a part of securing your scripts from SQL injections. I also coded a little function that filters every global variable (get, post, request, etc).


function check_request($req) {
$data = $req;
$attack = false;
$bad_list = '/|or|delete|script|drop|http|<|>|%3c|%3e|SELECT|UNION|UPDATE|AND|exe|exec|INSERT|tmp/i';
foreach($data as $check_data) {
if(eregi($bad_list, $check_data)) {
$attack = true;
}
}
unset($check_data);
if($attack != true) {
return $req;
} else {
die("BAN THE USER!");
}
}

Just make sure you don't have any SQL injections possible. Just addslashes, stripslashes, htmlentities to0 all of your variables that are used to select from the db.

That is just a part of securing your scripts from SQL injections. I also coded a little function that filters every global variable (get, post, request, etc).

That is resource intensive, unnecessary and extremely flawed. Heres a short tutorial I wrote a while ago, which gives you the basics: http://paste2.org/p/174472.

EDIT:
Are you using cookies or sessions?

That is resource intensive, unnecessary and extremely flawed. Heres a short tutorial I wrote a while ago, which gives you the basics: http://paste2.org/p/174472.

EDIT:
Are you using cookies or sessions?

I believe I am using sessions with the database.

Just a quick tip, make sure that in your database you encrypt the passwords :) Sounds obvious but a bunch of people forget that and pay the price when some hacker comes along and all of their members' passwords are leaked.

Just a quick tip, make sure that in your database you encrypt the passwords :) Sounds obvious but a bunch of people forget that and pay the price when some hacker comes along and all of their members' passwords are leaked.

Sorta like what happened to these forums right? But even if I encrypt my password, can't they decrypt it?

If not... how do I encrypt my passwords in the database?

MD5 or SHA1 is one way encryption. For added security, make a user has and check it on every page, for example:


$salt = "Some random very long string";
$userHash = md5($_SERVER['REMOTE_ADD'].$_SERVER['HTTP_USER_AGENT'].$username.$salt);


Every page should check it, and destroy the session if it does not match.

$salt = "Some random very long string";
$userHash = md5($_SERVER['REMOTE_ADD'].$_SERVER['HTTP_USER_AGENT'].$username.$salt);

That's a very bad idea for a password hash as if the user changes their IP or upgrades/switches their browser their password would no longer work.

EDIT: Just seen that csparks edited the post above, that would be fine as a session hash, but can be made stronger by uusing hash() functions.

----

The best way is to have 2 salts, 1 set in php (in config.php for example), and another set in mySQL in the users table (create another column called salt). This allows you to have 1 salt 'hardcoded' in php and another salt that is different for each user (in the mySQL db). So, if your site does have an SQL injection, the attacker could find out the mySQL salts, but not the 'hardcoded' one. If the worst comes to the worst and the attacker has a shell/ssh/ftp/readfile/etc, having a different salt for each user makes it take alot longer to crack if the attacker wishes to crack all the users passwords, however it doesn't make much difference if the attacker is only after 1 user.

Both salts should be ~5 letters long, and be upper/lower alphanumeric with special chars as well.

This function would be ok:
<?php
function enc_password($pass,$phpsalt,$sqlsalt) {
return sha1(md5($phpsalt . md5($pass)) . $sqlsalt);
}
You can futher strenghen it by using the hash() function, however not all php installations has this compiled. And you can use a random string function to generate the salt (there are hundreds out there).

To register a new user:
<?php
$phpsalt = '0hg&F'; // salt that never changes
$sqlsalt = random_string();
mysql_query('INSERT INTO `users` (`username`,`password`,`salt`,`email`) VALUES(\'' .
mysql_real_escape_string($_POST['user']) . '\',\'' . enc_password($_POST['pass'], $phpsalt, $sqlsalt) .
'\',\'' . $sqlsalt . '\',\'' . mysql_real_escape_string($_POST['email']) . '\')');
//Broken up the line above as it was messing up the width of the page
?>
Then to check the login all you have to do generate the hash again (make sure you dont generate the sqlsalt again, SELECT it from the database) and compare it with the password field in mySQL.

MD5 or SHA1 is one way encryption. For added security, make a user has and check it on every page, for example:


$salt = "Some random very long string";
$userHash = md5($_SERVER['REMOTE_ADD'].$_SERVER['HTTP_USER_AGENT'].$username.$salt);


Every page should check it, and destroy the session if it does not match.

Is there not a good chance that a user's IP address can legitimately change if they are going through a work/college/whatever proxy?

killrwhale, I am not sure if any of these methods will protect against non-PHP documents in your folder (images/office documents etc). You may want to have a page that serves these from another location, so they can't be accessed by anyone.

Is there not a good chance that a user's IP address can legitimately change if they are going through a work/college/whatever proxy?

killrwhale, I am not sure if any of these methods will protect against non-PHP documents in your folder (images/office documents etc). You may want to have a page that serves these from another location, so they can't be accessed by anyone.

Perfect, thanks for all the help guys! Yea my site would only consist of php files, so it would be all good.

That is resource intensive, unnecessary and extremely flawed. Heres a short tutorial I wrote a while ago, which gives you the basics: .

EDIT:
Are you using cookies or sessions?

Sorry about that - I'm a bit old fashioned with SQL injection prevention, my methods have always worked pretty well for me.