Solved

.php login security advice

Posted on 2007-11-17
7
1,084 Views
Last Modified: 2012-06-27
I am currently building a login-user-cms with a backend database which will contain some sensitive data.
It is inspired by this tutorial:
http://www.roscripts.com/PHP_login_script-143.html

I have the following precautions:

* i only make use of sessions (no coockies)
* i use mysql_real_escape_string to protect mysql injection
* at login the IP is stored and on each form submission re-checked
* no includes with variables
* no php code error output (i don't use die() very often, but if->else statements)
* maximum of 3 login attempts

i am thinking of:
* using session_regenerate_id
* hashing the input of sensitive data with (javascript) SHA256
  http://www.bichlmeier.info/sha256.html

* encrypt the data in MYSQL, but the downside is possible trouble with SELECT statements ?

Am i over-paranoid, or do you think it will be a good idea to hash the input? And what about encrypting data? My biggest concern with encrypting is the slowdown.

I would appreciate your input & advice on this, i might have overseen things here.
Thanks in advance.
0
Comment
Question by:dwax
  • 3
  • 2
  • 2
7 Comments
 
LVL 12

Expert Comment

by:Rok-Kralj
ID: 20305239
session_regenerate_id() -very  good choice, at least at login
hashing, encrypting - only if you are afraid of someone breaking to your base
0
 
LVL 34

Expert Comment

by:Beverley Portlock
ID: 20305270
You seem to be going about things the right way. Store sensitive information in SESSION variables as they are stored server side. If you are being *really* paranoid then be aware that ALL session cookies on a server are usually stored in /tmp (*nix - I'm not sure about Windows), but Zend have a datasheet on modifying these to store them in the database instead. See here

http://devzone.zend.com/node/view/id/1312

about halfway down the page.

As far as encryption goes, there is no need to encrypt absolutely everything. For instance to hide information about someone it my be enough to encrypt just their name - particularly if it is not a search term. If you do have to encrypt "searchable" fields then feed them into an algorithm that produces some output that is searchable so that you can massively reduce stuff that needs decrypting for searching.
0
 
LVL 12

Expert Comment

by:Rok-Kralj
ID: 20306954
You can also use OpenSSL to encrypt comunication between client and server. It's free.
0
Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

 

Author Comment

by:dwax
ID: 20307378
thanks for the replies.

I can use shared ssl on my host, but that means an ugly url like  https://jhostdomomain.com/userftpname.
Which doesn't give the user a very 'secure' feeling.

Okay, basicly i am on the right track, thats good to hear. My current host has most 'dangerous' php functions disabled (safe_mode, magic quotes,no external includes etc) so it's pretty safe i think.

Would using ssl be a huge leap in security?
0
 
LVL 34

Accepted Solution

by:
Beverley Portlock earned 88 total points
ID: 20307414
"Would using ssl be a huge leap in security?"

It should make things considerably more difficult for man-in-middle attacks, packet sniffing, etc. It won't stop holes in code from being holes in code. Faulty PHP will still be a security gap.

All https will do is make it MORE LIKELY that the line from the server to the client's browser is safe.

0
 
LVL 12

Assisted Solution

by:Rok-Kralj
Rok-Kralj earned 87 total points
ID: 20307518
If you really did everything written above, you are safe.

If you want me to check your code for holes, post it here.
0
 

Author Comment

by:dwax
ID: 20307611

Thanks to you both!  (split points).
I will talk things over with the client.
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction HTML checkboxes provide the perfect way for a web developer to receive client input when the client's options might be none, one or many.  But the PHP code for processing the checkboxes can be confusing at first.  What if a checkbox is…
This article discusses four methods for overlaying images in a container on a web page
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question