.php login security advice

I am currently building a login-user-cms with a backend database which will contain some sensitive data.
It is inspired by this tutorial:
http://www.roscripts.com/PHP_login_script-143.html

I have the following precautions:

* i only make use of sessions (no coockies)
* i use mysql_real_escape_string to protect mysql injection
* at login the IP is stored and on each form submission re-checked
* no includes with variables
* no php code error output (i don't use die() very often, but if->else statements)
* maximum of 3 login attempts

i am thinking of:
* using session_regenerate_id
* hashing the input of sensitive data with (javascript) SHA256
  http://www.bichlmeier.info/sha256.html

* encrypt the data in MYSQL, but the downside is possible trouble with SELECT statements ?

Am i over-paranoid, or do you think it will be a good idea to hash the input? And what about encrypting data? My biggest concern with encrypting is the slowdown.

I would appreciate your input & advice on this, i might have overseen things here.
Thanks in advance.
dwaxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
Rok-KraljCommented:
session_regenerate_id() -very  good choice, at least at login
hashing, encrypting - only if you are afraid of someone breaking to your base
0
 
Beverley PortlockCommented:
You seem to be going about things the right way. Store sensitive information in SESSION variables as they are stored server side. If you are being *really* paranoid then be aware that ALL session cookies on a server are usually stored in /tmp (*nix - I'm not sure about Windows), but Zend have a datasheet on modifying these to store them in the database instead. See here

http://devzone.zend.com/node/view/id/1312

about halfway down the page.

As far as encryption goes, there is no need to encrypt absolutely everything. For instance to hide information about someone it my be enough to encrypt just their name - particularly if it is not a search term. If you do have to encrypt "searchable" fields then feed them into an algorithm that produces some output that is searchable so that you can massively reduce stuff that needs decrypting for searching.
0
 
Rok-KraljCommented:
You can also use OpenSSL to encrypt comunication between client and server. It's free.
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
dwaxAuthor Commented:
thanks for the replies.

I can use shared ssl on my host, but that means an ugly url like  https://jhostdomomain.com/userftpname.
Which doesn't give the user a very 'secure' feeling.

Okay, basicly i am on the right track, thats good to hear. My current host has most 'dangerous' php functions disabled (safe_mode, magic quotes,no external includes etc) so it's pretty safe i think.

Would using ssl be a huge leap in security?
0
 
Beverley PortlockCommented:
"Would using ssl be a huge leap in security?"

It should make things considerably more difficult for man-in-middle attacks, packet sniffing, etc. It won't stop holes in code from being holes in code. Faulty PHP will still be a security gap.

All https will do is make it MORE LIKELY that the line from the server to the client's browser is safe.

0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
 
Rok-KraljCommented:
If you really did everything written above, you are safe.

If you want me to check your code for holes, post it here.
0
 
dwaxAuthor Commented:

Thanks to you both!  (split points).
I will talk things over with the client.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.