Making a php login secure

Peter B

I have a website in which I have a login just using textfields which compare the username and password to a database.
I have no idea how to make the website secure. I am using PHP.

Have googled the problem but cannot really understand advice.

Thanks in advance,

Peter

louie

there is a good reading material.

http://www.free2code.net/plugins/articles/read.php?id=99

Peter B

Thanks for that louie.

Is there a way to create a secure login without using pear? I am using a standard mysql DB.

aidan_walsh

Your question is somewhat vague. What do you mean by secure? Protected against SQL injections? SSL connection? Encrypted data? Can we get a little more about what you want?

Peter B

Sorry for the vague description.

I a creating a website which involves logins and has private information stored on my database. I do not want wrongful access by anybody to my database information or to access anybody's accounts. I just want to make it as secure as possible against data manipulation or deletion.

My logins are just standard text fields read in and compared using php to a database returned password value.

Is this sort of login sufficient enough or should I create some extra precautions? Sorry about the vagueness but I really don't know much about storing and protecting private information online.

democrates

Peter B wrote:

Sorry for the vague description.

I a creating a website which involves logins and has private information stored on my database. I do not want wrongful access by anybody to my database information or to access anybody's accounts. I just want to make it as secure as possible against data manipulation or deletion.

My logins are just standard text fields read in and compared using php to a database returned password value.

Is this sort of login sufficient enough or should I create some extra precautions? Sorry about the vagueness but I really don't know much about storing and protecting private information online.

There are a whole bunch of things to be done, you'll be doing some more googling...

I presume your site is on a shared server with a hosting company? First read through their support pages for your hosting plan and note the key points. It's a good idea to document your setup.

If you *need* to encrypt pages rather than have them travelling in the clear, you'll need an ssl certificate on your site. These can be shared among many users or more expensively just for your domain (think of it like a passport for your websites identity). Google.

Upload a php script with just this in it:
<?php
phpinfo();
?>
and call it from your browser.
Save the resultant page to your own pc and then delete the script from the server. (You'd be surprised how many sites leave phpinfo.php in their web root, leave hackers some job satisfaction!)

Look at the settings returned for register_globals and safe_mode
Google for what's best to do in whatever situation pertains on your server, there are some override options.

The password your scripts use to access the db should be in a seperate file outside the webroot (so they can't be accessed by a browser), but the web server (apache?) needs access to it, google.

The passwords for your users can be stored in a mysql password field, or hashed in php. Then they won't be useful if someone manages to execute arbitrary sql on your site and view the db contents, even you won't know the passwords. This means no 'email my forgotten password' feature, if they forget it they email you and you (or a script) can reset it and mail them back the new one. Weak link here, unless you've encrypted email. Works for many big sites though...

Validate all user input like a paranoid schizophrenic. Hidden fields in forms are trivial to change by anyone accessing them, form validation on the client side is only for user assistance, you check everything on the server. Google, and php.net.

Weigh all the security measures against the value of the data you are storing, or the risk of it being published.

Would do no harm if you want to learn more to buy 2600 magazine, online from 2600.com or Tower Records on Wexford St DN if that's convenient. Surprising what you can learn in those mighty mags.
Good luck!

Peter B

Thanks for the very helpful info.

I am running the site on a shared server with a hosting company. I am using mySQL 4.0.25 and PHP Version 4.4.1.

So far I have

1. changed my passwords to salted hashes
2. Changed the permissions of the mysql user to only SELECT, INSERT, UPDATE, REFERENCES, INDEX
3. I use striptags for all the users information entered using either $_POST or $_GET
4. inserted a simple php email checker to check if email addresses entered look real.

I am finding trouble protecting against SQL injections. I have read the addslashes() method is both good and bad. I couldn't understand exactly how to implement it.

$sql ='INSERT INTO `member` (`firstname`, `lastname`, `email`, `password`) VALUES (\''.$firstname.'\', \''.$lastname.'\', \''.$email.'\', \''.$secure_password.'\')';
addslashes($sql);

I believe you can't just implement the addslashes method using addslashes($sql), you actually have to run the method on each value individually before creating the SQL statement. Like this below.

$firstame = addslashes($firstname);
$lastname= addslashes($lastname);
$email= addslashes($email);
$secure_password= addslashes($secure_password);
$sql ='INSERT INTO `member` (`firstname`, `lastname`, `email`, `password`) VALUES (\''.$firstname.'\', \''.$lastname.'\', \''.$email.'\', \''.$secure_password.'\')';



Then when retrieving you have to run stripslashes() on each value individually so instead of

Hello <? echo mysql_result($result,0,"firstname") ?>,

I will have to enter

Hello <? echo stripslashes(mysql_result($result,0,"firstname")) ?>,

Am I correct with this? To change my site I will have to change a load of SQL statements but if it meant making a site secure against SQL injections I would.

Any other security issues I still should implement?

Thanks for the help!:)

democrates

This is a good site for these questions : http://www.acunetix.com/websitesecurity/php-security-1.htm

vito

If you are worried about SQL injection you might look at http://pecl.php.net/package/filter.

I haven't had time to check it myself but believe that it filters all user submitted input safely.