Okay so I have a PHP script that creates user acounts and encrypts the password then saves it into the database. The login form just compares the users password with a password in the database. The database has a password to connect to and user name. Is this enough security for my sites login? Or is there other things I should be doing?
garyjohnson
14
Junior Poster
Recommended Answers
Jump to PostHello, it's enough, you are comparing username and password from user to database, the only two input that can identify the user are username and password, but make sure you are making the username unique.
Jump to Postyou can also add login failed counter and assign the count in session. Define how many failed login would you allow, before requiring an account reset or captcha.
Test your login script with the most common login hacks e.g. type OR'' on the password field, without typing any username... if …
Jump to PostOne more thing: if password is incorrect, do not tell that to the user; if username is incorrect, do not tell that to the user. Allways tell them that login failed, but not the reason. This way you give no clue to potential attacker.
All 11 Replies
cmps
26
Light Poster
veedeoo
474
Junior Poster
Featured Poster
garyjohnson
14
Junior Poster
broj1
356
Humble servant
Featured Poster
garyjohnson
14
Junior Poster
cmps
26
Light Poster
garyjohnson
14
Junior Poster
broj1
356
Humble servant
Featured Poster
diafol
broj1
356
Humble servant
Featured Poster
garyjohnson
14
Junior Poster
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.