Jump to content

Is this secure enough?

rille95

By rille95
in PHP Coding Help

 Share

Recommended Posts

rille95 Newbie

rille95

Posted
Posted

Hi!

 

i am wondering if my regristration and login process is secure enough.

 

my regristration form looks like this :

 

<form action=\"signup.php\" method=\"post\">
<i>Username</i><br><input type=\"text\" name=\"username\"><br>
<i>E-Mail</i><br><input type=\"text\" name=\"email\"><br>
<i>Full Name</i><br><input type=\"text\" name=\"fullname\"><br>
<i>Adress</i><br><input type=\"text\" name=\"adress\"><br>
<i>Country</i><br><input type=\"text\" name=\"country\"><br>
<i>Password</i><br><input type=\"password\" name=\"password\"> <br />
<i>Confirm Password</i><br><input type=\"password\" name=\"cpassword\"><br>
<i>Paypal Email</i><br><input type=\"text\" name=\"paypal\"><br>
<i>Referrer</i>: $ref<input type=\"hidden\" name=\"ref\" value=\"$ref\"><br><br>
<input type=\"submit\" class=\"button\" value=\"Sign up to $sitename\"></form>

 

And on all those i do this:

 

$username=mysql_real_escape_string(trim($_POST['username']));

 

and this:

$username=str_replace(array("<", ">"), array("<", ">"), $username);

 

i also check if they already exists in the database (except for name and country) , if they are empty, if username and referrer is the same, if IP exists in database and i am sending a verification email.

 

 

my login form looks like this :

 

<form action="authenticate.php" method="post">
<i>Username</i><br>
<input type="text" name="username"><br>
<i>Password</i><br>
<input type="password" name="password"> <br />
<a href='pwr.php'>forgot password?</a><br />

<br><br>
<input type="submit" class="button" value="Login to <?=$sitename;?>">
</form>

 

and i authenticate with this :

 

mysql_real_escape_string() and trim()

on username and password and then check for a match in my database.

 

Of course i encrypt the passwords with md5.

 

I am thinking of adding  preg_match in my signup.php so only certain characters can be entered but i don't now how to do this. anyone good at that ?

 

 

 

 

 

 

 

Link to comment
https://forums.phpfreaks.com/topic/174094-is-this-secure-enough/
Share on other sites
phillw Newbie

phillw

Posted
Posted

Amongst some checks you can easily link into are:

 

StopForumSpam

 

http://www.stopforumspam.com/apis

 

Project HoneyPot

 

http://www.projecthoneypot.org/home.php

 

As you can see, they give the option of checking user-name & IP against a list of 'baddies'

 

That way, you can check who is applying from the databases they have & also report a 'bad-un' to them.

 

I'm biased, as the forum that I'm a mod on has been attacked, those databases are only as good as the adminstrators are - to keep them up to date, they do require input (Johnny 5 - I'm Alive)

 

Even if you can not donate a MX record to them, please consider a hidden link to catch to spam robots on your sites.

 

The php script of checking for 'bad' IP addresses is a quite easy thing to incorparate, as is the look-up when people provide an email address.

 

Regards,

 

Phill

rille95 Newbie

rille95

Posted
  • Author
Posted

I looked at it very quick..

 

The one thing I noticed was that you are using a hidden input for the referrer..

 

Since forms can be edited, they could change the referrer value..

 

Keep it server side :)

 

do you mean i should just echo the referrer so they know who it is but can't edit it?

look at regex to cheek all the posted info.......

 

Actually i have started to do that :)

 

i am using preg_match($pattern,$username); where $pattern = "/^([a-z0-9_])+$/";

 

 

Amongst some checks you can easily link into are:

 

StopForumSpam

 

http://www.stopforumspam.com/apis

 

Project HoneyPot

 

http://www.projecthoneypot.org/home.php

 

As you can see, they give the option of checking user-name & IP against a list of 'baddies'

 

That way, you can check who is applying from the databases they have & also report a 'bad-un' to them.

 

I'm biased, as the forum that I'm a mod on has been attacked, those databases are only as good as the adminstrators are - to keep them up to date, they do require input (Johnny 5 - I'm Alive)

 

Even if you can not donate a MX record to them, please consider a hidden link to catch to spam robots on your sites.

 

The php script of checking for 'bad' IP addresses is a quite easy thing to incorparate, as is the look-up when people provide an email address.

 

Regards,

 

Phill

thanks will check that out.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.