Jump to content

Best Practice for Login Scripts


alvo
 Share

Recommended Posts

Hello Everyone, I was just ondering if anyone had any tips for the best way to approach a login system using an sql database that is secure from say injection or malicous entry etc? Thanks All James

Link to comment
Share on other sites

for sql injection mysql_real_escape_string() is enough. though it is not secure in some multibyte charset. if you want be sure totaly about sql inject you have to use prepared statement. about malicious entry its depends on systems..some basic things ..dont trust any inputs from outside,filter or sanitinze.always initialze variables. for login script use hashed password when user register.

Link to comment
Share on other sites

i would say MD5 orr HASH... depends... (NOTES!) Note that i got the MD5 idea from a torrent tracker called (TBdev) for a little project of my...they are kinda good... but still not the best... :/...

Link to comment
Share on other sites

What I usually do is: Make sure user cannot put username for a password.mysql_real_escape_string(); for sql injection protectionAdd a "salt" to password, then use sha1() BTW, sha1() is more secure than md5(). So something like this:

$salt = "Salt makes a hash more secure.";if ($username !== $password) {  $username = mysql_real_escape_string($username);  $password = sha1($password.$salt);}

I like to go overboard though. I save the hash of both the password and the username. This gives the login function more security as you don't have to worry about sql injection since it turns the username into a safe hash. I don't keep the plain-text username in the database unless I know I need to reference it. Instead I assign the username to the session. So as long as the user is logged in, they will have access to their own username in plain-text through the session.

Edited by Err
Link to comment
Share on other sites

MD5 is not a secure hashing algorithm. Even the PHP manual had to add it to their reference. PHP's crypt() function is the best built-in option though there are special libraries with more features. Read the description of the manual carefully, and use the constants to determine which algorithm is available on your server in order to generate the appropriate salt for it. I usually generate a unique salt for each password.

I like to go overboard though. I save the hash of both the password and the username. This gives the login function more security as you don't have to worry about sql injection since it turns the username into a safe hash. I don't keep the plain-text username in the database unless I know I need to reference it. Instead I assign the username to the session. So as long as the user is logged in, they will have access to their own username in plain-text through the session.
Well, that's OK as long as you don't want to show a list of registered users or want to manage your website's users by username.
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...