Posting information to MySQL securely (sessions?) & questions on dynamic user interface

[jdlev]

Hi guys,

 

Had a few questions. First off, my gear. Using CS5.5 for development with server 2003 iis6.0.

 

What I'm developing is pretty straight forward, and has the following features:

1) Secure form people use to register company info & user info.

2) Once logged in, users will be able to post/update/edit/delete information about funerals to a universal funeral info database.

3) There will be two types of user accounts. An admin that can see all funeral information from all funeral homes, and then funeral home accounts that will only be able to see their individual account data.

 

That's it...so I had a few questions...

 

1) I've been able to create a registration form pretty easily, and it posts to my database no problem. Only one issue that I can see right now. The password column shows the actual password...no encryption. Is there an easy way to encrypt the passwords that won't harm a user's ability to access their individual account?

 

2) I'm using dreamweaver's user authentication to allow access to restricted areas within the web site. When a person log's in, it verify's their information by checking their username/pwd. Then it further restricts a persons ability to view everything by fetching an access level associated with each user. I was able to echo and print the access level variable, which correlates to the user's account number. I want to use this information in a dynamic page that lists all records (funerals) associated with that account number. I can do that easily enough, but is PHP secure enough to prevent someone from logging in with a username & password and simply changing the account number (aka access level), and then running amuck with the funeral listings? Is that what's called an SQL injection attack?

 

3) I suppose I could add some more security, but not sure if it would help? What if instead of not just searching the account number for their funeral information, it matched their account number AND the name of the company when it pulled in information from the universal database?

 

I want to make sure this is secure since we're dealing with funeral homes. It would take a sick #$#@ to screw with someone's funeral information, but I'd rather be safe than sorry.

 

Thanks for any advice folks

[DaveyK]

1. For encrypting password you can use a combination or sha1() and md5() in any random order, that is quick but a hacker can still break it. A more secure method would be to use crypt(), say if you use a blowfish algorythm it would be nearly impossible for a hacker to retrieve it (even with super computers).

 

2. I dont know dreamweaver, never used it. However, what I know from SQL injection is that users sometimes use their $_POST info directly into a query ("INSERT INTO (...) VALUES ('.$_POST['var']"). Never ever do that. People can modify that POST and blow your stuff up. a more secure method would be to use htmlspecialchars() or mysql_real_escape_string() like such

 

$name = htmlspecialchar($name);

 

It helps.

 

3. Considering the account number is unique, adding the company name appears to be a little bit redundant if you ask me. However, if it makes you feel better, why not?

 

Also, I am not a very experienced developer so I may be wrong. If so, anyone please correct me.

Edited February 7, 2013 by DaveyK

[jdlev]

Thanks a ton Dave!