Jump to content

How to make login secure?


crazylegseddie

Recommended Posts

I currently have a log-in facility implemented in my site but it passes the password to the database in plain text with the following script.

[code=php:0]
$errorMessage = '';

$userName = $_POST['txtUserName'];
$password = $_POST['txtPassword'];

// first, make sure the username & password are not empty
if ($userName == '') {
$errorMessage = 'You must enter your username';
} else if ($password == '') {
$errorMessage = 'You must enter the password';
} else {
// check the database and see if the username and password combo do match
$sql = "SELECT user_id
        FROM tbl_user
WHERE user_name = '$userName' AND user_password = '$password'";
$result = dbQuery($sql);

[/code]

Can I set this script to encrpyt the password in some way and make it more secure?

Any help will be good.

THX
Link to comment
Share on other sites

I see your using $error_message, to make sure you can display these error's above your form, and still be able to process your script above the html-head information I use one extra variable, ofcourse I am giving you the very basic here..

[code]
<?php
$PreCheckComplete=0;
if (@$_POST) {
   $errorMessage = '';
   $userName = $_POST['txtUserName'];
   $password = $_POST['txtPassword'];

   // first, make sure the username & password are not empty
   if ($userName == '') {
      $errorMessage .= "&bull; You must enter your username<br />";
   }
   // you can also check for string length if (strlen($userName) < 6 ) { ...
   if (strip_tags($userName) != $userName) {
      $errorMessage .= "&bull; You are not allowed to use html in your username.<br />";
   }
   if ($password == '') {
      $errorMessage .= "&bull; You must enter the password.<br />";
   }
   if (strip_tags($password) != $password) {
      $errorMessage .= "&bull; You are not allowed to use html in your password.<br />";
   }
   if (!$errorMessage) {// no errors found..
      $PreCheckComplete = 1;// Set flag
      $password = sha1($password); // don't know if sha1 is already implemented..
      // check the database and see if the username and password combo do match
     $sql = "SELECT user_id"
     . "\n FROM tbl_user"
     . "\n WHERE user_name = '$userName'"
     . "\n AND user_password = '$password'"
     ;
     $result = dbQuery($sql);
  }
}
?>
<!-- below the headers -->
<!-- above the form -->
<?php
if ($PreCheckComplete==0) {//Display the form
   if (@$errorMessage) {
     echo $errorMessage;
   }
?>
<form action="" method="post" ....
<?php } else { // Display success
  echo 'jipii';
} ?>
[/code]
Link to comment
Share on other sites

[quote author=RockingGroudon link=topic=103077.msg410148#msg410148 date=1154777193]
but the best one is sha1 because md5 can be decrypted by some providers on the net, use it like this
[code=php:0]
<?php
$encryptme="Hello World!";
$encryptme=sha1($encryptme); // Encrypted
?>
[/code]
[/quote]

[url=http://www.schneier.com/blog/archives/2005/02/sha1_broken.html]http://www.schneier.com/blog/archives/2005/02/sha1_broken.html[/url]
Ouch?

Always remember, NOTHING is absolutely secure.
Link to comment
Share on other sites

Its still less famous that it was broken... and ok i was wrong there but it is still better than md5 because there are a lot of prviders like md5decryter.com and when u search sha1 in google you would not get a lot of decrypters.
Nothing against you or something but wanted to tell you that is compared sha1 is better
Link to comment
Share on other sites

[quote author=silentwf link=topic=103077.msg410947#msg410947 date=1154913432]
That still isnt hard to crack, you do realize that right?
Just decrypt the Sha1, then decrypt the MD5.
And plus, it adds a BIG load to the db, the encryption is uber long
[/quote]

You relize you won't get the md5 hash right?

@newb, your right, you can't decrypt MD5 but their are flaws in it that allow for MD5 collision. Also can be brute forced.

@crazylegseddie, encrypt the password and add random salt. Then create a session based off of a time and IP. But thats just what I would do to increase security
Link to comment
Share on other sites

if you want it stored in your database encrypted, obviously use encrption at the server side, however, going from a client to server, the form will still post as plain text. You can see actually see for yourself with a packet sniffer. To encrypt at the network layer, use SSL.
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.