PHP Login Script

[Cbeppe]

Hey!

 

I joined heliohost a few hours ago and felt like making my first post a useful one. The links go to a dreamincode.net PHP tutorial on how to create a professional and (relatively) secure login script. Unfortunately, the last part of it is missing, but the plan is very well outlined in the first post so you will probably be able to figure out the rest.

 

http://www.dreamincode.net/forums/topic/54...in-design-pt-1/

http://www.dreamincode.net/forums/topic/54...gin-design-pt2/

 

Cbeppe.

[jje]

I learned lots of my PHP through another simple login script tutorial:

http://www.phpeasystep.com/phptu/6.html

[Cbeppe]

Be aware of how they store passwords though... in the article, he stores them plaintext in an SQL database, and on the bottom he recommends using md5 encryption for passwords. This might be the easiest, but it's very vulnerable.

 

Other than that, it's a great link. Thanks.

 

Cbeppe.

[bgcomuf]

you can add a secret string and md5() to password (bevore INSERT and SELECT)

 

$mypassword = mysql_real_escape_string($mypassword);

$sec_str = "b2Tz8Uk3EvkMx"; // just an example secret string

$mypassword = md5($mypassword.$sec_str);

 

this way the password is safer than md5() only

[jje]

Your welcome

 

Yes, I recommend MD5 just to prevent hacking. You might also want to hash the MD5 a bit more with another method, to make it extra secure if you feel it is important for security to be at it's best (like running a free web host with 20,000 users ).

 

MD5 is hard to reverse unless it is a dictionary word, making it a good hash but (as I said above) more encryption on the MD5 I think is available.

[PenTester]

As bgcomuf said, use the

 

md5(salt+Password)

 

If you want more security ,then try:

 

md5(md5($salt).md5($pass))

or

md5($salt.md5($salt.$pass))

or

md5(md5($salt).$pass)

 

Also try SHA1,SHA-256.

---

Also The user should enter strong password.

Force the user to set strong password(with special character,case combination,numbers).