Can anyone tell me how to go about making username and passwords for a site, that is in a securly fashion?
12 2569
Can anyone tell me how to go about making username and passwords for a site, that is in a securly fashion?
Hi Jimmy,
What is your current operating system? What kind of web server software are you using? You should be able to protect file as well whole directory using .htaccess protection method on Apache web server.
Do a little research on .htaccess for further reading & understanding, hope this info helps. Good luck & Take care.
When it is just looking for a way to create userids and passwords, you can use any of the many randomizers on the web. Google for randomize passwords and you'll find functions to do that.
If you want to program them yourself, most programming languages have a randomize function that can be programmed to create these.
When you are, however, looking for a webform with which the user can login to your site securely, you will have to use a programming language, preferrably one that can access a database (i.e. a server side language). That way you can store your generated userids and passwords in the database in an encrypted way, hand it to any user requiring it and use that to authenticate that user when he/she logs in.
Ronald :cool:
Yea what they said. Here is a link to how to make one with PHP pretty easy to follow too.
HTH,
Aric
But for the example you need PEAR and use cookies (I hate cookies!).
If you need a non-PEAR, non-cookie, PHP, MySQL, using SHA1 encryption sample I'll show one.
Ronald :cool:
Quote: I'll show you one
Yup! Can you show me one?
Here is the sample.
[php]<?php
session_start();
// -------------------------------
// check if form is submitted
// -------------------------------
$error = false;
if (isset($_POST['_submit']) ) {
if (isset($_POST['userid']) AND isset($_POST['password'])) {
$uid = strip_tags($_POST['uid']);
$psw = strip_tags($_POST['psw']);
// ------------------------------------------------
// Check passed username and password in database
// ------------------------------------------------
// ......
// ..... connect to data base
// ......
// check existence of uid and psw in table
$res = mysql_query("SELECT * FROM authorized_users WHERE userid='$uid' AND passwd=sha1('$psw')")
or die ("SELECT error: " . mysql_error());
if (mysql_num_rows($res) != 1) {
$error = true;
}
else {
// ------------------------------------------------
// userid and psw valid, store userid in session
// ------------------------------------------------
$_SESSION['username'] = strip_tags($_POST['username']);
// ...........
// ===> continue processing valid user
// ===> ...........
}
}
else {
// ------------------------------------------------
// no userid and/or password specified, error
// ------------------------------------------------
$error = true;
}
}
// ------------------------------------------------------
// Display the login form (again)
// ------------------------------------------------------
print "<form name='authForm' method='POST' action='".$_SERVER['PHP_SELF']."'>";
if ($error == true) {
print "<p style='font-weight:bold;color:red'>You have entered an invalid userid and/or password - try again</p>";
}
print "Username <input type='text' name='uid' value='$uid'> <br />";
print "Password <input type='password' name='psw' value='$psw'> <br />";
print '<input type="submit" name="login" value="Login" />';
print '<input type="hidden" name="_submit" value="1"/>';
print '</form>';
?>[/php]
Ronald :cool:
Ronald,
I'm not a PHP expert so let me ask you a qestion. (Nice easy example to follow BTW) why do you strip the tags when you're working with the post. Does php return more than the field value? Lastly, when you are checking the password agains the DB you use shal() what are you doing with that line. Nice tut!
Aric
Ronald,
I'm not a PHP expert so let me ask you a qestion. (Nice easy example to follow BTW) why do you strip the tags when you're working with the post. Does php return more than the field value? Lastly, when you are checking the password agains the DB you use shal() what are you doing with that line. Nice tut!
Aric
Anything that comes from outside should be mistrusted, especially the global arrays. Assume that I send a parm string to your application using POST, like you can do in Curl. Then I could hide some very nasty code in that string. Here an oversimplified example:
Suppose I would count on you not clipping the string or not putting it between quotation marks. I could send via curl in a POST: - login.php?userid='myname OR 1=1'
you would execute the sql statement: - SELECT uid FROM table WHERE userid=$_POST['userid']
that will be translated as: - SELECT uid FROM table WHERE userid=myname OR 1=1
and it will always be correct, so I am always logged in.
Now this is oversimplified, because you also always MUST also check the format of incoming parms if you can. In my own code I always check the maxlength of the input parms and existence of only nums and alpha chars, nothing else, in such a string. But that is implementation-dependent.
But think what you could do with such a statement with a delete: - delete.php?userid='myname OR 1=1'
that would result in: - DELETE FROM table WHERE userid=myname OR 1=1
That would effectively delete all your rows!
I hope it is a bit more clear why you must always sanitize your input, even when you think it can do no harm. Because it can, like here doing a POST via curl.
Ronald :cool:
SHA1 is one of the many encryption methods you can use.
When I generate a password, I would store it like: - INSERT INTO table userid='xxx' password=SHA1('mypass');
I will give the mypass to the user. When he logs in with his password 'mypass' I verify by (using the posted variables in n$uid and $pass): - SELECT username FROM table WHERE userid='$uid'
-
AND password=sha1('$pass')
Now even if you could look into the table field password, you only see a 40-byte encrypted version. Even the sysadmin cannot see the original password. That is, when you lose your password, the admin cannot even give it to you, if he wanted, but has to generate a new one.
Ronald :cool:
Very nice! I've read that in PHP doing table inserts via the $_POST is a huge security risk, that example is clear as day! Thanks Ron!
You are most welcome.
Ronald :cool:
Sign in to post your reply or Sign up for a free account.
Similar topics
by: Stone |
last post by:
I have a compiled Pcode VB6 application with 1 published and 9
never-published
alphanumeric string contants embedded in the program for passwords.
The code simply has lines like this in a FORM...
|
by: Lobang Trader |
last post by:
Hi all,
I am trying to create a username and a password class.
I would like to know what are the RECOMMENDED minimum and maximum length
for both fields?
These fields will be something like...
|
by: Isaac Grover |
last post by:
Hi everyone,
Just out of curiosity I recently pointed one of my hand-typed pages at the W3
Validator, and my hand-typed code was just ripped to shreds. Then I pointed
some major sites...
|
by: Brent Burkart |
last post by:
I am trying to capture the Windows Authenticated username, but I want to be
able to capture the login name that exists in IIS, not Windows. In order to
enter my company's intranet through the...
|
by: Grey |
last post by:
Can I use the domain username and password with VSS authentication?? I want
to user the domain username and password to authorize the credential of VSS,
but I don't want to do anything the Domain...
|
by: Alan Silver |
last post by:
Hello,
I am just planning a new ASP.NET site, and wondered about the best way
to handle the following common scenario...
The site has the option that registered users can log in and will have...
|
by: Andrew |
last post by:
Hello, friends,
I am implementing web app security using asp.net 1.1, and I found the
following source code from Yahoo! Mail login page:
<form method="post"...
|
by: Cord-Heinrich Pahlmann |
last post by:
Hi,
I have written a tool wich de/encrypts a few of my forum and
bloggin-Passwords.
My question is how secure it is.
The following describes how I have encrypted my passwords.
When I log in,...
|
by: Bruno Barros |
last post by:
Hey there. I'm currently working on an intranet, and would like to
know how I can get the windows usernames of the visitors.
You can get their IP with $_SERVER;
But what about their Windows...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
| | |