Solved

.php login security advice

Posted on 2007-11-17
7
1,085 Views
Last Modified: 2012-06-27
I am currently building a login-user-cms with a backend database which will contain some sensitive data.
It is inspired by this tutorial:
http://www.roscripts.com/PHP_login_script-143.html

I have the following precautions:

* i only make use of sessions (no coockies)
* i use mysql_real_escape_string to protect mysql injection
* at login the IP is stored and on each form submission re-checked
* no includes with variables
* no php code error output (i don't use die() very often, but if->else statements)
* maximum of 3 login attempts

i am thinking of:
* using session_regenerate_id
* hashing the input of sensitive data with (javascript) SHA256
  http://www.bichlmeier.info/sha256.html

* encrypt the data in MYSQL, but the downside is possible trouble with SELECT statements ?

Am i over-paranoid, or do you think it will be a good idea to hash the input? And what about encrypting data? My biggest concern with encrypting is the slowdown.

I would appreciate your input & advice on this, i might have overseen things here.
Thanks in advance.
0
Comment
Question by:dwax
  • 3
  • 2
  • 2
7 Comments
 
LVL 12

Expert Comment

by:Rok-Kralj
ID: 20305239
session_regenerate_id() -very  good choice, at least at login
hashing, encrypting - only if you are afraid of someone breaking to your base
0
 
LVL 34

Expert Comment

by:Beverley Portlock
ID: 20305270
You seem to be going about things the right way. Store sensitive information in SESSION variables as they are stored server side. If you are being *really* paranoid then be aware that ALL session cookies on a server are usually stored in /tmp (*nix - I'm not sure about Windows), but Zend have a datasheet on modifying these to store them in the database instead. See here

http://devzone.zend.com/node/view/id/1312

about halfway down the page.

As far as encryption goes, there is no need to encrypt absolutely everything. For instance to hide information about someone it my be enough to encrypt just their name - particularly if it is not a search term. If you do have to encrypt "searchable" fields then feed them into an algorithm that produces some output that is searchable so that you can massively reduce stuff that needs decrypting for searching.
0
 
LVL 12

Expert Comment

by:Rok-Kralj
ID: 20306954
You can also use OpenSSL to encrypt comunication between client and server. It's free.
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 

Author Comment

by:dwax
ID: 20307378
thanks for the replies.

I can use shared ssl on my host, but that means an ugly url like  https://jhostdomomain.com/userftpname.
Which doesn't give the user a very 'secure' feeling.

Okay, basicly i am on the right track, thats good to hear. My current host has most 'dangerous' php functions disabled (safe_mode, magic quotes,no external includes etc) so it's pretty safe i think.

Would using ssl be a huge leap in security?
0
 
LVL 34

Accepted Solution

by:
Beverley Portlock earned 88 total points
ID: 20307414
"Would using ssl be a huge leap in security?"

It should make things considerably more difficult for man-in-middle attacks, packet sniffing, etc. It won't stop holes in code from being holes in code. Faulty PHP will still be a security gap.

All https will do is make it MORE LIKELY that the line from the server to the client's browser is safe.

0
 
LVL 12

Assisted Solution

by:Rok-Kralj
Rok-Kralj earned 87 total points
ID: 20307518
If you really did everything written above, you are safe.

If you want me to check your code for holes, post it here.
0
 

Author Comment

by:dwax
ID: 20307611

Thanks to you both!  (split points).
I will talk things over with the client.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to dynamically set the form action using jQuery.

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question