Well joey wanted a login system for the website i made for him so i quickly made one.. So here's the code .

It relies on the client having the same ip as the cookie it has (Securing the website from cookies thieves...)

The security.php


And the index.php or other files you wish to secure (just add the heading).


Note I made this pretty quickly so if you do see any flaws please point them out.. however Im pretty sure there aren't...

One of the major issues with what you've done is that the password is being stored in plain text, which becomes really nasty if someone manages to {a} find an SQL injection vulnerability that allows them to dump the users table (thus giving them every user's password - how many sites do you use the same username/password combo on?), {b} manage to get their hands on a backup SQL dump, or {c} manage to break into the SQL server itself*.

The passwords need to be encrypted one-way (or hashed) before they are stored so that if your user data is exposed, you will keep them at least partially safe. The problem with this is that the most common and easy hash system (MD5) has large, searchable rainbow tables on the internet, making finding the original password from the hash much easier.

To stop THIS happening, you need to salt the passwords before you hash them.

By salt, I mean add a set of characters that are only known to the website owner to the password before hashing and storing it. This makes the password longer and more complex, making even easy passwords difficult to find.

Essentially, you need to have something like this:




With a salt that long, and applying it twice, it doesn't really matter if other people find out what it is, because it will never show up on the rainbow tables in a million years.


*This is assuming, of course, that you will eventually want a multi-user system, or want to store the p/w in a database to make it easier to change. Of course, if your web server or php interpreter coughs, you could be presented with the php code instead of it being parsed, giving you the same kind of password theft issues. Never leave passwords in plain text

Firstly for this system i wan't using a database.
So
A) users won't be able to use sql injection to acquire username's + passwords because the passwords stored in the php file. Therefore no sql dumps.
B) I tried to use different passwords for all the sites i register on as well as changing my email password regularly - i am fully aware of password management.
C) i am fully aware of encryption methods, md5. I was going to encrypted the cookie that this script outputted but laziness overcame me, i am also familiar with salting passwords and have done this multiple times for websites I've created.

*I created this script in like 5-10mins for a friends temp resume website... It didn't really require too much more coding.. this was sufficient.. but ya i suppose i should have implement more security, which i normally do for db based websites.

Anyways nuff of me defending my code
Do you reside in Kalgoorlie? or are you someone who stumbled upon this forum?

No, I'm from Esperance - I was pointed here by a member from Norseman.

Ah ic.
Well welcome to Kalgaming...

Sorry that I'm being so rude...
Well anyways so like how long have you been doing PHP/ web design? and like what websites have to created/ managed?

I don't do much in the design, I generally make the design a page, and do the backend coding - most of the stuff is on school intranets.

I've owned/managed/run highly customised phpBB boards, provided live support for phpBB online (IRC), and I've been programming since year before I was in year 5. I've been doing web design for 10 years, and php for 6 years, but I have coded in:

• BASIC/qBASIC/Apple BASIC/Visual BASIC
• Delphi
• C/C++/C#
• Java
• Python
• Javascript
• PHP
• mIRC Script
• VBScript (asp)
• Bash/DOS and various other scripting languages

...and I've developed databases in Access and mySQL.

And I have a big thing about security and plaintext passwords

Very very nice.. hehe's I've only been doing PHP for like less then a year, and html for a little more.. but ya im kind of lazy, so don't do too much...

Ya fair enough.. hehe's well ya like i don't mind if it's in php at least no on can see it.. unless i gain access to ur server or something... but ya i always secure passwords in a DB as well as securing all fields... because of SQL injection and all that..
my latest creation -> http://bargainboard.kalgaming.net
well one of them.. still has heaps of work to do.

If the php processor burps, it will spit out the entire php code in plain text, including any and all variables.

just so you know

Edit: any reason that you're using cookies rather than php sessions?

it does? lol... ok well then.. that's something i haven't heard of..
ya i never really went into using sessions (haven't tried but heard of)...