Re: nooB PhP login using MySQL
- From: "shimmyshack" <matt.farey@xxxxxxxxx>
- Date: 30 Mar 2007 01:50:06 -0700
On 30 Mar, 08:55, Geoff Berrow <blthe...@xxxxxxxxxxx> wrote:
Message-ID: <460c3865$0$5814$4c368faf@xxxxxxxxxxxxxx> from Ben contained
the following:
First question is can someone direct me to a site or provide a sample code
for a login page that prompts for user/password then either displays a
message "Login Succeeded!" or "Login Failed!"
The process is to take the supplied username and password and do a
database query to see if there is a row containing that combination. Of
course, this presupposes that you ensured that the combination was
unique before storing in the database. If a row is found the log in is
successful.
Second, how do I prevent users from bypassing the login? Session variable
right? Need instructions on how to implement that.
On success a session variable is set. Each protected page needs code
which will check for the presence of the session variable. Additionally
or alternatively an expiring cookie may be set. Another way is to set a
timestamp in the db and check that has not expired each time.
Lastly, what is the best, maybe I should word that differently, the most
commonly used method for login encryption? I would like the password text
physically in the DB to be encrypted text that is decrypted through the
login process.
It's not usually decrypted, the hashes uses are usually one way.
Ideally the username and password are sent via an encrypted connection.
The reason for encrypting the passwords in the database is simple so
that the db admin does not know what they are. Passwords are encrypted
using a hash function before insertion into the db. When the user tries
to log in the hash function is used again and then the hashed version is
compared with the one in the db.
As others have pointed out, even supplying sample code will require a
lot of hand holding and it may be a better idea to establish and off
list relationship with someone here.
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDshttp://www.ckdog.co.uk/rfdmaker/
It is usually called "auth" as in implementing an auth login, here's a
link from the Zend website, it uses php5 techniwues together with the
Zend Framework, which would make a good starting point if you like
Java, and will mean you code will likely to have less insecurities in
it.
http://devzone.zend.com/node/view/id/1665
PHP suffers from a bad rep in that because it can be picked up and
copied and pasted by anyone (myself included) very bad and insecure
code often results. Using a framework helps, but as has been said, if
you make even one little mistake then your code is as wide open as if
you were a rookie, it is not really a 5 minute job as you have to
ensure that there is end to end security, in both directions, which
doesnt just mean "use SSL" and that there are no SQL/XSS injection
flaws, encoding/charset flaws, and a whole load of other
vulnerabilities, not just in the logic, but in the database
implementation (as has been said) eg. making sure you don't use the
same crendentials table for one app as you do another unless you have
looked at the consequences thoroughly.
Once you hace authenticated your user, your entire site must be
tighter than, or people can still leverage the slighest hole to get
access to other's info... it's all fun, no one here wants to make you
think you can just be given a walk through / code which will be
secure.
.
- References:
- nooB PhP login using MySQL
- From: Ben
- Re: nooB PhP login using MySQL
- From: Geoff Berrow
- nooB PhP login using MySQL
- Prev by Date: Re: In case you need it....
- Next by Date: Re: What is the learning curve for PHP?
- Previous by thread: Re: nooB PhP login using MySQL
- Next by thread: Re: nooB PhP login using MySQL
- Index(es):
Relevant Pages
|
