Jump to content

Archived

This topic is now archived and is closed to further replies.

crazylegseddie

How to make login secure?

Recommended Posts

I currently have a log-in facility implemented in my site but it passes the password to the database in plain text with the following script.

[code=php:0]
$errorMessage = '';

$userName = $_POST['txtUserName'];
$password = $_POST['txtPassword'];

// first, make sure the username & password are not empty
if ($userName == '') {
$errorMessage = 'You must enter your username';
} else if ($password == '') {
$errorMessage = 'You must enter the password';
} else {
// check the database and see if the username and password combo do match
$sql = "SELECT user_id
        FROM tbl_user
WHERE user_name = '$userName' AND user_password = '$password'";
$result = dbQuery($sql);

[/code]

Can I set this script to encrpyt the password in some way and make it more secure?

Any help will be good.

THX

Share this post


Link to post
Share on other sites
Take a look at the md5 function

http://uk.php.net/md5

You will to apply the function to the passwords that are set when someone registers/an account is created and when they log in.

Share this post


Link to post
Share on other sites
You might also want to try something like [url=http://us3.php.net/manual/en/function.mysql-real-escape-string.php]mysql_real_escape_string[/url]

Share this post


Link to post
Share on other sites
but the best one is sha1 because md5 can be decrypted by some providers on the net, use it like this
[code=php:0]
<?php
$encryptme="Hello World!";
$encryptme=sha1($encryptme); // Encrypted
?>
[/code]

Share this post


Link to post
Share on other sites
I see your using $error_message, to make sure you can display these error's above your form, and still be able to process your script above the html-head information I use one extra variable, ofcourse I am giving you the very basic here..

[code]
<?php
$PreCheckComplete=0;
if (@$_POST) {
   $errorMessage = '';
   $userName = $_POST['txtUserName'];
   $password = $_POST['txtPassword'];

   // first, make sure the username & password are not empty
   if ($userName == '') {
      $errorMessage .= "&bull; You must enter your username<br />";
   }
   // you can also check for string length if (strlen($userName) < 6 ) { ...
   if (strip_tags($userName) != $userName) {
      $errorMessage .= "&bull; You are not allowed to use html in your username.<br />";
   }
   if ($password == '') {
      $errorMessage .= "&bull; You must enter the password.<br />";
   }
   if (strip_tags($password) != $password) {
      $errorMessage .= "&bull; You are not allowed to use html in your password.<br />";
   }
   if (!$errorMessage) {// no errors found..
      $PreCheckComplete = 1;// Set flag
      $password = sha1($password); // don't know if sha1 is already implemented..
      // check the database and see if the username and password combo do match
     $sql = "SELECT user_id"
     . "\n FROM tbl_user"
     . "\n WHERE user_name = '$userName'"
     . "\n AND user_password = '$password'"
     ;
     $result = dbQuery($sql);
  }
}
?>
<!-- below the headers -->
<!-- above the form -->
<?php
if ($PreCheckComplete==0) {//Display the form
   if (@$errorMessage) {
     echo $errorMessage;
   }
?>
<form action="" method="post" ....
<?php } else { // Display success
  echo 'jipii';
} ?>
[/code]

Share this post


Link to post
Share on other sites
[quote author=RockingGroudon link=topic=103077.msg410148#msg410148 date=1154777193]
but the best one is sha1 because md5 can be decrypted by some providers on the net, use it like this
[code=php:0]
<?php
$encryptme="Hello World!";
$encryptme=sha1($encryptme); // Encrypted
?>
[/code]
[/quote]

[url=http://www.schneier.com/blog/archives/2005/02/sha1_broken.html]http://www.schneier.com/blog/archives/2005/02/sha1_broken.html[/url]
Ouch?

Always remember, NOTHING is absolutely secure.

Share this post


Link to post
Share on other sites
Its still less famous that it was broken... and ok i was wrong there but it is still better than md5 because there are a lot of prviders like md5decryter.com and when u search sha1 in google you would not get a lot of decrypters.
Nothing against you or something but wanted to tell you that is compared sha1 is better

Share this post


Link to post
Share on other sites
[code]<?php
$encryptme="Hello World!";
$encryptme=sha1(md5($encryptme)); // Encrypted
?>[/code]

Share this post


Link to post
Share on other sites
That still isnt hard to crack, you do realize that right?
Just decrypt the Sha1, then decrypt the MD5.
And plus, it adds a BIG load to the db, the encryption is uber long

Share this post


Link to post
Share on other sites
[quote author=silentwf link=topic=103077.msg410947#msg410947 date=1154913432]
That still isnt hard to crack, you do realize that right?
Just decrypt the Sha1, then decrypt the MD5.
And plus, it adds a BIG load to the db, the encryption is uber long
[/quote]

You relize you won't get the md5 hash right?

@newb, your right, you can't decrypt MD5 but their are flaws in it that allow for MD5 collision. Also can be brute forced.

@crazylegseddie, encrypt the password and add random salt. Then create a session based off of a time and IP. But thats just what I would do to increase security

Share this post


Link to post
Share on other sites
if you want it stored in your database encrypted, obviously use encrption at the server side, however, going from a client to server, the form will still post as plain text. You can see actually see for yourself with a packet sniffer. To encrypt at the network layer, use SSL.

Share this post


Link to post
Share on other sites
In case you're not sure what adding salt is:

$password = $password . "bunchofwordsorrandomcharacters";
$password = md5($password);

Share this post


Link to post
Share on other sites
So that the hacker gets the decrypted string with the caracters at the end making him getting the wrong pass

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.