Okay so I have a PHP script that creates user acounts and encrypts the password then saves it into the database. The login form just compares the users password with a password in the database. The database has a password to connect to and user name. Is this enough security for my sites login? Or is there other things I should be doing?
garyjohnson 14 Junior Poster
cmps 26 Light Poster
Hello, it's enough, you are comparing username and password from user to database, the only two input that can identify the user are username and password, but make sure you are making the username unique.
veedeoo 474 Junior Poster Featured Poster
you can also add login failed counter and assign the count in session. Define how many failed login would you allow, before requiring an account reset or captcha.
Test your login script with the most common login hacks e.g. type OR'' on the password field, without typing any username... if the script shows the mysterious user as logged in, then you need to sanitize more..
garyjohnson 14 Junior Poster
Yes I am making the names unique. But let's say I have 5000 users and this would be secure enough for that many people?
broj1 356 Humble servant Featured Poster
As long as this is not a higly confidential banking or government site this might be enough. Hopefully you have done the password hashing as per good practices. You might want to check this link.
Other aspect of security is input data validation/sanitization (username and password) to prevent sql injections.
garyjohnson 14 Junior Poster
When you mean sanitization do you mean put all input data into this mysql_real_escape_string($_POST['$varaible'])?
cmps 26 Light Poster
mysql_real_escape_string() is a must, you need to use it almost on every variable, in which value is taken from the user, to prevent SQL Injection.
Even if you have million users, if an action is applicable on one user, it will be applicable for all :)
garyjohnson 14 Junior Poster
lol thanks for all the help! So mysql_real_escape_string() is all i need to put the varaible into to stop sql injection?
broj1 356 Humble servant Featured Poster
Escaping values using mysql_real_escape_string or similar (i.e. mysqli_real_escape_string) function greatly minimizes a possibility of sql injection by escaping dangerous characters. Some other things you have to do are (not a comprehensive list):
- put quotes arround any query parameters - even numbers
- or use prepared statements, but this method is slightly less efficient
- validate input values (if you expect a number check it with is_numeric, if you expect an integer within known range check for the range, check strings for maximum lenght, whitelist values if possible)
Also use newer mysqli extension instead of old mysql which might soon get deprecated.
More on this topic is here and here.
And more on login security.
diafol
Personally, I'd use prepared statements (PDO flavour), BUT you need to validate the data too. All data from POST vars should be strings anyway, but you can check for integer or float or date formats, etc. If any of the inputs fall outside the allowed parameters, flag an error - do not run the query.
broj1 356 Humble servant Featured Poster
One more thing: if password is incorrect, do not tell that to the user; if username is incorrect, do not tell that to the user. Allways tell them that login failed, but not the reason. This way you give no clue to potential attacker.
garyjohnson 14 Junior Poster
Thanks for all the help! I have taken all of your input and am using it to create my secure login.
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.