Jump to content


Photo

How to make login secure?


  • Please log in to reply
15 replies to this topic

#1 crazylegseddie

crazylegseddie
  • Members
  • PipPipPip
  • Advanced Member
  • 36 posts

Posted 05 August 2006 - 11:04 AM

I currently have a log-in facility implemented in my site but it passes the password to the database in plain text with the following script.

$errorMessage = '';
	
	$userName = $_POST['txtUserName'];
	$password = $_POST['txtPassword'];
	
	// first, make sure the username & password are not empty
	if ($userName == '') {
		$errorMessage = 'You must enter your username';
	} else if ($password == '') {
		$errorMessage = 'You must enter the password';
	} else {
		// check the database and see if the username and password combo do match
		$sql = "SELECT user_id
		        FROM tbl_user 
				WHERE user_name = '$userName' AND user_password = '$password'";
		$result = dbQuery($sql);


Can I set this script to encrpyt the password in some way and make it more secure?

Any help will be good.

THX


#2 GingerRobot

GingerRobot
  • Staff Alumni
  • Advanced Member
  • 4,086 posts
  • LocationUK

Posted 05 August 2006 - 11:10 AM

Take a look at the md5 function

http://uk.php.net/md5

You will to apply the function to the passwords that are set when someone registers/an account is created and when they log in.

#3 tomfmason

tomfmason
  • Staff Alumni
  • Advanced Member
  • 1,696 posts
  • Locationstealing your wifi

Posted 05 August 2006 - 11:16 AM

You might also want to try something like mysql_real_escape_string

Traveling East in search of instruction, and West to propagate the knowledge I have had gained.

current projects: pokersource

My Blog | My Pastebin | PHP Validation class | Backtrack linux


#4 Chetan

Chetan
  • Members
  • PipPipPip
  • Advanced Member
  • 162 posts
  • LocationIndia

Posted 05 August 2006 - 11:26 AM

but the best one is sha1 because md5 can be decrypted by some providers on the net, use it like this
<?php
$encryptme="Hello World!";
$encryptme=sha1($encryptme); // Encrypted
?>

I am a PHP Guru, ask me questions if you want to

#5 ignace

ignace
  • Moderators
  • Now mod flavored
  • 6,430 posts
  • LocationBelgium

Posted 05 August 2006 - 11:50 AM

I see your using $error_message, to make sure you can display these error's above your form, and still be able to process your script above the html-head information I use one extra variable, ofcourse I am giving you the very basic here..

<?php
$PreCheckComplete=0;
if (@$_POST) {
   $errorMessage = '';
   $userName = $_POST['txtUserName'];
   $password = $_POST['txtPassword'];
	
   // first, make sure the username & password are not empty
   if ($userName == '') {
      $errorMessage .= "&bull; You must enter your username<br />";
   }
   // you can also check for string length if (strlen($userName) < 6 ) { ...
   if (strip_tags($userName) != $userName) {
      $errorMessage .= "&bull; You are not allowed to use html in your username.<br />";
   }
   if ($password == '') {
      $errorMessage .= "&bull; You must enter the password.<br />";
   }
   if (strip_tags($password) != $password) {
      $errorMessage .= "&bull; You are not allowed to use html in your password.<br />";
   }
   if (!$errorMessage) {// no errors found..
      $PreCheckComplete = 1;// Set flag
      $password = sha1($password); // don't know if sha1 is already implemented..
      // check the database and see if the username and password combo do match
     $sql = "SELECT user_id"
     . "\n FROM tbl_user"
     . "\n WHERE user_name = '$userName'"
     . "\n AND user_password = '$password'"
     ;
     $result = dbQuery($sql);
  }
}
?>
<!-- below the headers -->
<!-- above the form -->
<?php
if ($PreCheckComplete==0) {//Display the form
   if (@$errorMessage) {
     echo $errorMessage;
   }
 ?>
<form action="" method="post" ....
<?php } else { // Display success
  echo 'jipii';
} ?>


#6 silentwf

silentwf
  • Members
  • PipPip
  • Member
  • 10 posts

Posted 05 August 2006 - 01:06 PM

but the best one is sha1 because md5 can be decrypted by some providers on the net, use it like this

<?php
$encryptme="Hello World!";
$encryptme=sha1($encryptme); // Encrypted
?>


http://www.schneier....ha1_broken.html
Ouch?

Always remember, NOTHING is absolutely secure.

#7 Chetan

Chetan
  • Members
  • PipPipPip
  • Advanced Member
  • 162 posts
  • LocationIndia

Posted 05 August 2006 - 03:02 PM

Its still less famous that it was broken... and ok i was wrong there but it is still better than md5 because there are a lot of prviders like md5decryter.com and when u search sha1 in google you would not get a lot of decrypters.
Nothing against you or something but wanted to tell you that is compared sha1 is better
I am a PHP Guru, ask me questions if you want to

#8 beamerrox

beamerrox
  • Members
  • PipPipPip
  • Advanced Member
  • 35 posts
  • LocationGrimshaw, Alberta, Canada

Posted 05 August 2006 - 05:35 PM

<?php
$encryptme="Hello World!";
$encryptme=sha1(md5($encryptme)); // Encrypted
?>


#9 silentwf

silentwf
  • Members
  • PipPip
  • Member
  • 10 posts

Posted 07 August 2006 - 01:17 AM

That still isnt hard to crack, you do realize that right?
Just decrypt the Sha1, then decrypt the MD5.
And plus, it adds a BIG load to the db, the encryption is uber long

#10 newb

newb
  • Members
  • PipPipPip
  • Advanced Member
  • 454 posts

Posted 07 August 2006 - 05:54 AM

u cant decrypt md5! show me proof u liar!

#11 rab

rab
  • Members
  • PipPipPip
  • Advanced Member
  • 155 posts

Posted 07 August 2006 - 06:02 AM

That still isnt hard to crack, you do realize that right?
Just decrypt the Sha1, then decrypt the MD5.
And plus, it adds a BIG load to the db, the encryption is uber long


You relize you won't get the md5 hash right?

@newb, your right, you can't decrypt MD5 but their are flaws in it that allow for MD5 collision. Also can be brute forced.

@crazylegseddie, encrypt the password and add random salt. Then create a session based off of a time and IP. But thats just what I would do to increase security

#12 corbin

corbin
  • Staff Alumni
  • Advanced Member
  • 8,129 posts

Posted 07 August 2006 - 06:12 AM

MD5 is irreversable last i heard...
Why doesn't anyone ever say hi, hey, or whad up world?

#13 dagnasty

dagnasty
  • Members
  • PipPipPip
  • Advanced Member
  • 66 posts

Posted 07 August 2006 - 06:41 AM

if you want it stored in your database encrypted, obviously use encrption at the server side, however, going from a client to server, the form will still post as plain text. You can see actually see for yourself with a packet sniffer. To encrypt at the network layer, use SSL.

#14 dagnasty

dagnasty
  • Members
  • PipPipPip
  • Advanced Member
  • 66 posts

Posted 07 August 2006 - 06:43 AM

In case you're not sure what adding salt is:

$password = $password . "bunchofwordsorrandomcharacters";
$password = md5($password);

#15 corbin

corbin
  • Staff Alumni
  • Advanced Member
  • 8,129 posts

Posted 07 August 2006 - 07:21 AM

wow so whats the purpose of adding salt?
Why doesn't anyone ever say hi, hey, or whad up world?

#16 Chetan

Chetan
  • Members
  • PipPipPip
  • Advanced Member
  • 162 posts
  • LocationIndia

Posted 08 August 2006 - 09:31 AM

So that the hacker gets the decrypted string with the caracters at the end making him getting the wrong pass
I am a PHP Guru, ask me questions if you want to




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users