473,890 Members | 1,380 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Can anyone tell me how to go about making username and passwords for a site,securely?

8 New Member
Can anyone tell me how to go about making username and passwords for a site, that is in a securly fashion?
Nov 18 '06 #1
12 2607
sashi
1,754 Recognized Expert Top Contributor
Can anyone tell me how to go about making username and passwords for a site, that is in a securly fashion?
Hi Jimmy,

What is your current operating system? What kind of web server software are you using? You should be able to protect file as well whole directory using .htaccess protection method on Apache web server.

Do a little research on .htaccess for further reading & understanding, hope this info helps. Good luck & Take care.
Nov 19 '06 #2
ronverdonk
4,258 Recognized Expert Specialist
When it is just looking for a way to create userids and passwords, you can use any of the many randomizers on the web. Google for randomize passwords and you'll find functions to do that.
If you want to program them yourself, most programming languages have a randomize function that can be programmed to create these.

When you are, however, looking for a webform with which the user can login to your site securely, you will have to use a programming language, preferrably one that can access a database (i.e. a server side language). That way you can store your generated userids and passwords in the database in an encrypted way, hand it to any user requiring it and use that to authenticate that user when he/she logs in.

Ronald :cool:
Nov 21 '06 #3
AricC
1,892 Recognized Expert Top Contributor
Yea what they said. Here is a link to how to make one with PHP pretty easy to follow too.

HTH,
Aric
Nov 21 '06 #4
ronverdonk
4,258 Recognized Expert Specialist
But for the example you need PEAR and use cookies (I hate cookies!).
If you need a non-PEAR, non-cookie, PHP, MySQL, using SHA1 encryption sample I'll show one.

Ronald :cool:
Nov 21 '06 #5
moishy
104 New Member
Quote: I'll show you one

Yup! Can you show me one?
Nov 22 '06 #6
AricC
1,892 Recognized Expert Top Contributor
I'd like to see as well.
Nov 22 '06 #7
ronverdonk
4,258 Recognized Expert Specialist
Here is the sample.
[php]<?php
session_start() ;
// -------------------------------
// check if form is submitted
// -------------------------------
$error = false;
if (isset($_POST['_submit']) ) {
if (isset($_POST['userid']) AND isset($_POST['password'])) {
$uid = strip_tags($_PO ST['uid']);
$psw = strip_tags($_PO ST['psw']);
// ------------------------------------------------
// Check passed username and password in database
// ------------------------------------------------
// ......
// ..... connect to data base
// ......
// check existence of uid and psw in table
$res = mysql_query("SE LECT * FROM authorized_user s WHERE userid='$uid' AND passwd=sha1('$p sw')")
or die ("SELECT error: " . mysql_error());
if (mysql_num_rows ($res) != 1) {
$error = true;
}
else {
// ------------------------------------------------
// userid and psw valid, store userid in session
// ------------------------------------------------
$_SESSION['username'] = strip_tags($_PO ST['username']);
// ...........
// ===> continue processing valid user
// ===> ...........
}
}
else {
// ------------------------------------------------
// no userid and/or password specified, error
// ------------------------------------------------
$error = true;
}
}
// ------------------------------------------------------
// Display the login form (again)
// ------------------------------------------------------
print "<form name='authForm' method='POST' action='".$_SER VER['PHP_SELF']."'>";
if ($error == true) {
print "<p style='font-weight:bold;col or:red'>You have entered an invalid userid and/or password - try again</p>";
}
print "Username&nbsp; <input type='text' name='uid' value='$uid'> <br />";
print "Password&nbsp; <input type='password' name='psw' value='$psw'> <br />";
print '<input type="submit" name="login" value="Login" />';
print '<input type="hidden" name="_submit" value="1"/>';
print '</form>';
?>[/php]
Ronald :cool:
Nov 22 '06 #8
AricC
1,892 Recognized Expert Top Contributor
Ronald,

I'm not a PHP expert so let me ask you a qestion. (Nice easy example to follow BTW) why do you strip the tags when you're working with the post. Does php return more than the field value? Lastly, when you are checking the password agains the DB you use shal() what are you doing with that line. Nice tut!

Aric
Nov 22 '06 #9
ronverdonk
4,258 Recognized Expert Specialist
Ronald,

I'm not a PHP expert so let me ask you a qestion. (Nice easy example to follow BTW) why do you strip the tags when you're working with the post. Does php return more than the field value? Lastly, when you are checking the password agains the DB you use shal() what are you doing with that line. Nice tut!

Aric
Anything that comes from outside should be mistrusted, especially the global arrays. Assume that I send a parm string to your application using POST, like you can do in Curl. Then I could hide some very nasty code in that string. Here an oversimplified example:
Suppose I would count on you not clipping the string or not putting it between quotation marks. I could send via curl in a POST:
Expand|Select|Wrap|Line Numbers
  1. login.php?userid='myname OR 1=1'
you would execute the sql statement:
Expand|Select|Wrap|Line Numbers
  1. SELECT uid FROM table WHERE userid=$_POST['userid']
that will be translated as:
Expand|Select|Wrap|Line Numbers
  1. SELECT uid FROM table WHERE userid=myname OR 1=1
and it will always be correct, so I am always logged in.
Now this is oversimplified, because you also always MUST also check the format of incoming parms if you can. In my own code I always check the maxlength of the input parms and existence of only nums and alpha chars, nothing else, in such a string. But that is implementation-dependent.
But think what you could do with such a statement with a delete:
Expand|Select|Wrap|Line Numbers
  1. delete.php?userid='myname OR 1=1'
that would result in:
Expand|Select|Wrap|Line Numbers
  1. DELETE FROM table WHERE userid=myname OR 1=1
That would effectively delete all your rows!

I hope it is a bit more clear why you must always sanitize your input, even when you think it can do no harm. Because it can, like here doing a POST via curl.

Ronald :cool:
Nov 22 '06 #10

Sign in to post your reply or Sign up for a free account.

Similar topics

5
12098
by: Stone | last post by:
I have a compiled Pcode VB6 application with 1 published and 9 never-published alphanumeric string contants embedded in the program for passwords. The code simply has lines like this in a FORM to use as a cheap access match. A(1)= "sbddy-ttqxfg A(2)= "hidvh-deehg I started getting 50 downloads an hour and traced this back to a site
4
6087
by: Lobang Trader | last post by:
Hi all, I am trying to create a username and a password class. I would like to know what are the RECOMMENDED minimum and maximum length for both fields? These fields will be something like this: private static final int DEFAULT_MINIMUM_LENGTH = ??????
162
7347
by: Isaac Grover | last post by:
Hi everyone, Just out of curiosity I recently pointed one of my hand-typed pages at the W3 Validator, and my hand-typed code was just ripped to shreds. Then I pointed some major sites (microsoft.com, cnn.com, etc.) at the W3 Validator; to my surprise none of them passed. Doesn't anyone care anymore, or are the standards more-or-less looked at as guidlines for web design?
14
2556
by: Brent Burkart | last post by:
I am trying to capture the Windows Authenticated username, but I want to be able to capture the login name that exists in IIS, not Windows. In order to enter my company's intranet through the internet, they have to login. I want to be able to capture that login versus their Windows login because I need to know who they are from any computer rather than only their computer. Any ideas? Thanks
1
2179
by: Grey | last post by:
Can I use the domain username and password with VSS authentication?? I want to user the domain username and password to authorize the credential of VSS, but I don't want to do anything the Domain AD. What can I do?? I learnt from VSS FAQ in microsoft website that "Can a network password be used to log onto Microsoft Visual SourceSafe 6.0 automatically? Yes, the passwords are controlled by the SourceSafe Administrator and the utility...
11
4658
by: Alan Silver | last post by:
Hello, I am just planning a new ASP.NET site, and wondered about the best way to handle the following common scenario... The site has the option that registered users can log in and will have access to extra features. The log in form is a simple username/password affair that will appear in the margin of every page if they aren't yet logged in. If they are logged in, their user name will be shown, along with a button to log out.
1
3609
by: Andrew | last post by:
Hello, friends, I am implementing web app security using asp.net 1.1, and I found the following source code from Yahoo! Mail login page: <form method="post" action="https://login.yahoo.com/config/login?" autocomplete="off" name="login_form"> <input type="hidden" name=".tries" value="1"> <input type="hidden" name=".src" value="ym"> <input type="hidden" name=".md5" value="">
19
2460
by: Cord-Heinrich Pahlmann | last post by:
Hi, I have written a tool wich de/encrypts a few of my forum and bloggin-Passwords. My question is how secure it is. The following describes how I have encrypted my passwords. When I log in, the Login-Password is changed into a md5-Hash and is compared to the login-password in the db. If the passwords are the same the use is logged in (common procedure). Then the clear-text
8
16704
by: Bruno Barros | last post by:
Hey there. I'm currently working on an intranet, and would like to know how I can get the windows usernames of the visitors. You can get their IP with $_SERVER; But what about their Windows Username? Is there any way of doing so? Through the Intranet?
0
9979
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, weíll explore What is ONU, What Is Router, ONU & Routerís main usage, and What is the difference between ONU and Router. Letís take a closer look ! Part I. Meaning of...
0
9825
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
11234
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
10828
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
10925
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
7171
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
5854
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
6052
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
4682
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.