Jump to content

Is this secure enough?

rille95

By rille95
in PHP Coding Help

Recommended Posts

rille95 Newbie

rille95

Posted
Posted

Hi!

 

i am wondering if my regristration and login process is secure enough.

 

my regristration form looks like this :

 

<form action=\"signup.php\" method=\"post\">
<i>Username</i><br><input type=\"text\" name=\"username\"><br>
<i>E-Mail</i><br><input type=\"text\" name=\"email\"><br>
<i>Full Name</i><br><input type=\"text\" name=\"fullname\"><br>
<i>Adress</i><br><input type=\"text\" name=\"adress\"><br>
<i>Country</i><br><input type=\"text\" name=\"country\"><br>
<i>Password</i><br><input type=\"password\" name=\"password\"> <br />
<i>Confirm Password</i><br><input type=\"password\" name=\"cpassword\"><br>
<i>Paypal Email</i><br><input type=\"text\" name=\"paypal\"><br>
<i>Referrer</i>: $ref<input type=\"hidden\" name=\"ref\" value=\"$ref\"><br><br>
<input type=\"submit\" class=\"button\" value=\"Sign up to $sitename\"></form>

 

And on all those i do this:

 

$username=mysql_real_escape_string(trim($_POST['username']));

 

and this:

$username=str_replace(array("<", ">"), array("<", ">"), $username);

 

i also check if they already exists in the database (except for name and country) , if they are empty, if username and referrer is the same, if IP exists in database and i am sending a verification email.

 

 

my login form looks like this :

 

<form action="authenticate.php" method="post">
<i>Username</i><br>
<input type="text" name="username"><br>
<i>Password</i><br>
<input type="password" name="password"> <br />
<a href='pwr.php'>forgot password?</a><br />

<br><br>
<input type="submit" class="button" value="Login to <?=$sitename;?>">
</form>

 

and i authenticate with this :

 

mysql_real_escape_string() and trim()

on username and password and then check for a match in my database.

 

Of course i encrypt the passwords with md5.

 

I am thinking of adding  preg_match in my signup.php so only certain characters can be entered but i don't now how to do this. anyone good at that ?

 

 

 

 

 

 

 

Link to comment
https://forums.phpfreaks.com/topic/174094-is-this-secure-enough/
Share on other sites
phillw Newbie

phillw

Posted
Posted

Amongst some checks you can easily link into are:

 

StopForumSpam

 

http://www.stopforumspam.com/apis

 

Project HoneyPot

 

http://www.projecthoneypot.org/home.php

 

As you can see, they give the option of checking user-name & IP against a list of 'baddies'

 

That way, you can check who is applying from the databases they have & also report a 'bad-un' to them.

 

I'm biased, as the forum that I'm a mod on has been attacked, those databases are only as good as the adminstrators are - to keep them up to date, they do require input (Johnny 5 - I'm Alive)

 

Even if you can not donate a MX record to them, please consider a hidden link to catch to spam robots on your sites.

 

The php script of checking for 'bad' IP addresses is a quite easy thing to incorparate, as is the look-up when people provide an email address.

 

Regards,

 

Phill

rille95 Newbie

rille95

Posted
  • Author
Posted

I looked at it very quick..

 

The one thing I noticed was that you are using a hidden input for the referrer..

 

Since forms can be edited, they could change the referrer value..

 

Keep it server side :)

 

do you mean i should just echo the referrer so they know who it is but can't edit it?

look at regex to cheek all the posted info.......

 

Actually i have started to do that :)

 

i am using preg_match($pattern,$username); where $pattern = "/^([a-z0-9_])+$/";

 

 

Amongst some checks you can easily link into are:

 

StopForumSpam

 

http://www.stopforumspam.com/apis

 

Project HoneyPot

 

http://www.projecthoneypot.org/home.php

 

As you can see, they give the option of checking user-name & IP against a list of 'baddies'

 

That way, you can check who is applying from the databases they have & also report a 'bad-un' to them.

 

I'm biased, as the forum that I'm a mod on has been attacked, those databases are only as good as the adminstrators are - to keep them up to date, they do require input (Johnny 5 - I'm Alive)

 

Even if you can not donate a MX record to them, please consider a hidden link to catch to spam robots on your sites.

 

The php script of checking for 'bad' IP addresses is a quite easy thing to incorparate, as is the look-up when people provide an email address.

 

Regards,

 

Phill

thanks will check that out.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.