Can anyone tell me how to go about making username and passwords for a site,securely?

Can anyone tell me how to go about making username and passwords for a site, that is in a securly fashion?

Hi Jimmy,

What is your current operating system? What kind of web server software are you using? You should be able to protect file as well whole directory using .htaccess protection method on Apache web server.

Do a little research on .htaccess for further reading & understanding, hope this info helps. Good luck & Take care.

When it is just looking for a way to create userids and passwords, you can use any of the many randomizers on the web. Google for randomize passwords and you'll find functions to do that.
If you want to program them yourself, most programming languages have a randomize function that can be programmed to create these.

When you are, however, looking for a webform with which the user can login to your site securely, you will have to use a programming language, preferrably one that can access a database (i.e. a server side language). That way you can store your generated userids and passwords in the database in an encrypted way, hand it to any user requiring it and use that to authenticate that user when he/she logs in.

Ronald :cool:

Yea what they said. Here is a link to how to make one with PHP pretty easy to follow too.

HTH,
Aric

But for the example you need PEAR and use cookies (I hate cookies!).
If you need a non-PEAR, non-cookie, PHP, MySQL, using SHA1 encryption sample I'll show one.

Ronald :cool:

Quote: I'll show you one

Yup! Can you show me one?

I'd like to see as well.

Here is the sample.
[php]<?php
session_start();
// -------------------------------
// check if form is submitted
// -------------------------------
$error = false;
if (isset($_POST['_submit']) ) {
if (isset($_POST['userid']) AND isset($_POST['password'])) {
$uid = strip_tags($_POST['uid']);
$psw = strip_tags($_POST['psw']);
// ------------------------------------------------
// Check passed username and password in database
// ------------------------------------------------
// ......
// ..... connect to data base
// ......
// check existence of uid and psw in table
$res = mysql_query("SELECT * FROM authorized_users WHERE userid='$uid' AND passwd=sha1('$psw')")
or die ("SELECT error: " . mysql_error());
if (mysql_num_rows($res) != 1) {
$error = true;
}
else {
// ------------------------------------------------
// userid and psw valid, store userid in session
// ------------------------------------------------
$_SESSION['username'] = strip_tags($_POST['username']);
// ...........
// ===> continue processing valid user
// ===> ...........
}
}
else {
// ------------------------------------------------
// no userid and/or password specified, error
// ------------------------------------------------
$error = true;
}
}
// ------------------------------------------------------
// Display the login form (again)
// ------------------------------------------------------
print "<form name='authForm' method='POST' action='".$_SERVER['PHP_SELF']."'>";
if ($error == true) {
print "<p style='font-weight:bold;color:red'>You have entered an invalid userid and/or password - try again</p>";
}
print "Username&nbsp;<input type='text' name='uid' value='$uid'> <br />";
print "Password&nbsp;<input type='password' name='psw' value='$psw'> <br />";
print '<input type="submit" name="login" value="Login" />';
print '<input type="hidden" name="_submit" value="1"/>';
print '</form>';
?>[/php]
Ronald :cool:

Ronald,

I'm not a PHP expert so let me ask you a qestion. (Nice easy example to follow BTW) why do you strip the tags when you're working with the post. Does php return more than the field value? Lastly, when you are checking the password agains the DB you use shal() what are you doing with that line. Nice tut!

Aric

Ronald,

I'm not a PHP expert so let me ask you a qestion. (Nice easy example to follow BTW) why do you strip the tags when you're working with the post. Does php return more than the field value? Lastly, when you are checking the password agains the DB you use shal() what are you doing with that line. Nice tut!

Aric

Anything that comes from outside should be mistrusted, especially the global arrays. Assume that I send a parm string to your application using POST, like you can do in Curl. Then I could hide some very nasty code in that string. Here an oversimplified example:
Suppose I would count on you not clipping the string or not putting it between quotation marks. I could send via curl in a POST:
you would execute the sql statement:
that will be translated as:
and it will always be correct, so I am always logged in.
Now this is oversimplified, because you also always MUST also check the format of incoming parms if you can. In my own code I always check the maxlength of the input parms and existence of only nums and alpha chars, nothing else, in such a string. But that is implementation-dependent.
But think what you could do with such a statement with a delete:
that would result in:
That would effectively delete all your rows!

I hope it is a bit more clear why you must always sanitize your input, even when you think it can do no harm. Because it can, like here doing a POST via curl.

Ronald :cool:

SHA1 is one of the many encryption methods you can use.
When I generate a password, I would store it like:
I will give the mypass to the user. When he logs in with his password 'mypass' I verify by (using the posted variables in n$uid and $pass):
Now even if you could look into the table field password, you only see a 40-byte encrypted version. Even the sysadmin cannot see the original password. That is, when you lose your password, the admin cannot even give it to you, if he wanted, but has to generate a new one.

Ronald :cool:

Very nice! I've read that in PHP doing table inserts via the $_POST is a huge security risk, that example is clear as day! Thanks Ron!

You are most welcome.

Ronald :cool: