PHP Secure Login - Password Encryption

Question

PHP Secure Login - Password Encryption

Here is the login system for which secure login should be implemented /

main_login.php <form name="form1" method="post" action="checklogin.php"> Username:<input name="myusername" type="text" id="myusername" /> <br /> Password:<input name="mypassword" type="password" id="mypassword" /> <input type="submit" name="Submit" value="Login" /> </form>

Checklogin.php

 <?php ob_start(); $host="localhost"; // Host name $username="root"; // Mysql username $password=""; // Mysql password $db_name="cosmos"; // Database name $tbl_name="members"; // Table name // Connect to server and select databse. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); // Define $myusername and $mypassword $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; // To protect MySQL injection (more detail about MySQL injection) $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register $myusername, $mypassword and redirect to file "login_success.php" session_register("myusername"); session_register("mypassword"); header("location:login_success.php"); } else { echo "Wrong Username or Password"; } ob_end_flush(); ?>

login_success.php

 <?php session_start(); if(isset($_SESSION['username']) && ($_SESSION['username'] == $myusername)){ header("location:main_login.php"); } ?> <html> <body> Login Successful. <a href="logout.php">Logout</a> </body> </html>

logout.php

 <?php session_destroy(); header("location:main_login.php"); ?>

the problem is that I want to make this secure login using password encryption or in any other way (if any). I start with PHP

+7

security php password-protection login-script

Suraj thapar Aug 28 '10 at 9:18

source share

7 answers

As a beginner, most likely you do not need encryption. Especially since it will be Javascript, not PHP.
Although it can be done.
You can use a hashed call that implements the Digest authentication scheme.

server sends a call - random streaming
the client makes a hash of this task and password
this hash is sent to the server
the server does the hash in the same way and compares both

There are many implementations of the MD5 Javascript hash algorithm over the Internet.

Of course, it is preferable to use an SSL certificate for this home implementation.

But in order to get the correct answer, you still need to clarify what exactly you want to encrypt and why. And why don't you worry about something else. For example, your entire database.

Some notes for a while.
Your login_success code will either not work nor protect.
It should be easy

 if(isset($_SESSION['username'])){

because there is no $ myusername variable to compare.
And it should be exit; right after header("location:...
Or the client will receive protected content anyway

+4

Your common sense Aug 28 '10 at 9:33

source share

To make this a bit more secure, you should store the encrypted passwords in your database, and then compare the encrypted password with the saved hash. Thus, if someone somehow accesses the participants table, they cannot see the actual passwords.

Suppose the password is myPassword , and not just save it, first use it using an algorithm like md5 , then save the hash that deb1536f480475f7d593219aa1afd74c in your database. Then, when the user enters the password, hash it and compare the two hashes.

For a more secure approach, use SSL .

+2

Hamid nazari Aug 28 '10 at 9:24

source share

You can use md5 ($ password) or sha1 (password $) by inserting registration data into the table.

to match again for login

$ sql = "SELECT * FROM $ tbl_name WHERE username = '$ myusername' and password = '". md5 ($ mypassword). "'"; $ Result = mysql_query ($ SQL);

There is another way to protect further. Using a combination of sha1 and salt.

By the way, why don’t you use some kind of fast flash infrastructure, these little things are already built with them.

thanks

+2

Pramendra gupta Aug 28 '10 at 9:28

source share

You have to use

 $static_salt='asdfasdfqwertyuiop123ABC_some_static_salt_string'; $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; $mypassword=hash('sha512', $mypassword . $static_salt . $myusername);

You must store the hashed password and hash any passwords before comparing them with the saved one. md5 is not suitable for password hashing: http://uk1.php.net/manual/en/faq.passwords.php#faq.passwords.fasthash You should also consider using salts

+2

nettux443 Mar 22 '14 at 13:17

source share

Usually you store the password hash in the database, see md5 , however this does not make it secure between the web page and the server - for this you need to use https.

There are two things here.

1. If I am a dumb user, and when I register my site, I must provide a password that could provide the same password as in other places, so your site should really store a password hash instead of the real one, so if they get hacked attackers will not get my password, which I used everywhere. To do this, you store the hash in the table of your participants, and in the request that checks that it is valid, you pass the hash instead of the real thing.

2. In accordance with http, the password will be sent from the browser to the server in plain text. If it is via the Internet, and the attacker has access to any networks between the browser and the client, then they can see the password - if you use it in the browser using javascript, the attacker can pick up the hash and possibly use it to log into your site. That is why we have https. For a low cost (especially compared to development costs), you can purchase a certificate that will provide a connection. If you do not want to do this, you can sign the certificate yourself and use it. If your hosting does not allow you to use a certificate, you can probably create a home brew solution, but it is much better to just find another hosting.

+1

Adam butler Aug 28 '10 at 9:24

source share

md5 would be best in this case. Run the input data, such as password, through the MD5 function and paste it into your database.

It is almost impossible to use, so the only way to use it is to use MD5 to log in and map the md5 password from logging in to the version stored in the database.

0

Christopher shaw Sep 24 '14 at 8:31

source share

phpPig · Accepted Answer · 2010-08-28T09:35:30+0000

You can encrypt the password to the extent using md5. You will need md5 password from the moment of user registration and before entering md5 ....

Example: // Define $myusername and $mypassword $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; $mypassword = md5($mypassword); // Define $myusername and $mypassword $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; $mypassword = md5($mypassword);

You will also need to use this every time a user signs it.

PHP Secure Login - Password Encryption

More articles: