1,105,281 Community Members

php login security

Member Avatar
garyjohnson
Junior Poster
168 posts since Aug 2012
Reputation Points: 14 [?]
Q&As Helped to Solve: 1 [?]
Skill Endorsements: 0 [?]
 
0
 

Okay so I have a PHP script that creates user acounts and encrypts the password then saves it into the database. The login form just compares the users password with a password in the database. The database has a password to connect to and user name. Is this enough security for my sites login? Or is there other things I should be doing?

Member Avatar
cmps
Posting Whiz in Training
226 posts since Nov 2011
Reputation Points: 26 [?]
Q&As Helped to Solve: 32 [?]
Skill Endorsements: 3 [?]
 
0
 

Hello, it's enough, you are comparing username and password from user to database, the only two input that can identify the user are username and password, but make sure you are making the username unique.

Member Avatar
veedeoo
Veteran Poster
1,008 posts since Oct 2011
Reputation Points: 314 [?]
Q&As Helped to Solve: 164 [?]
Skill Endorsements: 17 [?]
 
0
 

you can also add login failed counter and assign the count in session. Define how many failed login would you allow, before requiring an account reset or captcha.

Test your login script with the most common login hacks e.g. type OR'' on the password field, without typing any username... if the script shows the mysterious user as logged in, then you need to sanitize more..

Member Avatar
garyjohnson
Junior Poster
168 posts since Aug 2012
Reputation Points: 14 [?]
Q&As Helped to Solve: 1 [?]
Skill Endorsements: 0 [?]
 
0
 

Yes I am making the names unique. But let's say I have 5000 users and this would be secure enough for that many people?

Member Avatar
broj1
Posting Virtuoso
1,576 posts since Jan 2011
Reputation Points: 220 [?]
Q&As Helped to Solve: 218 [?]
Skill Endorsements: 21 [?]
Featured
 
0
 

As long as this is not a higly confidential banking or government site this might be enough. Hopefully you have done the password hashing as per good practices. You might want to check this link.

Other aspect of security is input data validation/sanitization (username and password) to prevent sql injections.

Member Avatar
garyjohnson
Junior Poster
168 posts since Aug 2012
Reputation Points: 14 [?]
Q&As Helped to Solve: 1 [?]
Skill Endorsements: 0 [?]
 
0
 

When you mean sanitization do you mean put all input data into this mysql_real_escape_string($_POST['$varaible'])?

Member Avatar
cmps
Posting Whiz in Training
226 posts since Nov 2011
Reputation Points: 26 [?]
Q&As Helped to Solve: 32 [?]
Skill Endorsements: 3 [?]
 
0
 

mysql_real_escape_string() is a must, you need to use it almost on every variable, in which value is taken from the user, to prevent SQL Injection.
Even if you have million users, if an action is applicable on one user, it will be applicable for all :)

Member Avatar
garyjohnson
Junior Poster
168 posts since Aug 2012
Reputation Points: 14 [?]
Q&As Helped to Solve: 1 [?]
Skill Endorsements: 0 [?]
 
0
 

lol thanks for all the help! So mysql_real_escape_string() is all i need to put the varaible into to stop sql injection?

Member Avatar
broj1
Posting Virtuoso
1,576 posts since Jan 2011
Reputation Points: 220 [?]
Q&As Helped to Solve: 218 [?]
Skill Endorsements: 21 [?]
Featured
 
0
 

Escaping values using mysql_real_escape_string or similar (i.e. mysqli_real_escape_string) function greatly minimizes a possibility of sql injection by escaping dangerous characters. Some other things you have to do are (not a comprehensive list):

  • put quotes arround any query parameters - even numbers
  • or use prepared statements, but this method is slightly less efficient
  • validate input values (if you expect a number check it with is_numeric, if you expect an integer within known range check for the range, check strings for maximum lenght, whitelist values if possible)

Also use newer mysqli extension instead of old mysql which might soon get deprecated.

More on this topic is here and here.

And more on login security.

Member Avatar
diafol
Where are my eyes?
12,940 posts since Oct 2006
Reputation Points: 1,821 [?]
Q&As Helped to Solve: 1,845 [?]
Skill Endorsements: 90 [?]
Moderator
Featured
Sponsor
 
0
 

Personally, I'd use prepared statements (PDO flavour), BUT you need to validate the data too. All data from POST vars should be strings anyway, but you can check for integer or float or date formats, etc. If any of the inputs fall outside the allowed parameters, flag an error - do not run the query.

Member Avatar
broj1
Posting Virtuoso
1,576 posts since Jan 2011
Reputation Points: 220 [?]
Q&As Helped to Solve: 218 [?]
Skill Endorsements: 21 [?]
Featured
 
2
 

One more thing: if password is incorrect, do not tell that to the user; if username is incorrect, do not tell that to the user. Allways tell them that login failed, but not the reason. This way you give no clue to potential attacker.

Member Avatar
garyjohnson
Junior Poster
168 posts since Aug 2012
Reputation Points: 14 [?]
Q&As Helped to Solve: 1 [?]
Skill Endorsements: 0 [?]
 
0
 

Thanks for all the help! I have taken all of your input and am using it to create my secure login.

Question Answered as of 1 Year Ago by broj1, cmps, veedeoo and 1 other
You
This question has already been solved: Start a new discussion instead
Post:
Start New Discussion
View similar articles that have also been tagged: