I am currently building a login-user-cms with a backend database which will contain some sensitive data.
It is inspired by this tutorial:
I have the following precautions:
* i only make use of sessions (no coockies)
* i use mysql_real_escape_string to protect mysql injection
* at login the IP is stored and on each form submission re-checked
* no includes with variables
* no php code error output (i don't use die() very often, but if->else statements)
* maximum of 3 login attempts
i am thinking of:
* using session_regenerate_id
* encrypt the data in MYSQL, but the downside is possible trouble with SELECT statements ?
Am i over-paranoid, or do you think it will be a good idea to hash the input? And what about encrypting data? My biggest concern with encrypting is the slowdown.
I would appreciate your input & advice on this, i might have overseen things here.
Thanks in advance.