Login Script

Jmz · 10-27-2007, 12:03 PM

Can anybody point me in the direction of a tutorial that shows you how to make a good, secure login script? All the ones I seem to find have people commenting that they are insecure for one reason or another so I would like to see how to do it properly :)

daz · 10-27-2007, 02:01 PM

I have a lot of experience with PHP/MySQL logins. I'll try to write a tutorial for you later.

Jmz · 10-27-2007, 03:13 PM

That would be great, thanks a lot :D

Wildhoney · 10-27-2007, 10:24 PM

I'd be tempted to construct my login SQL like so:

Code:

$szUsername = 'Wildhoney';
$szPassword = 'myHardToGuessPassword';

$szSQL = sprintf("	SELECT
				@myPassword:= MD5('%s'),
				IF(myUsername = '%s', myUsername, NULL) AS myUsername,
				IF(myPassword = @myPassword, myPassword, NULL) AS myPassword
			FROM
				myTable
			WHERE
				myUsername = '%s'
			AND
				myPassword = @myPassword)",
			$szPassword,
			$szUsername,
			$szUsername);

Therefore if anyone does happen to manage to inject SQL into your query, it'll simply result in a MySQL error, and they won't actually get anywhere.

Karl · 10-28-2007, 01:24 PM

Surely that way is less secure than the usual SQL statement as you'll be transmitting the password as clear text, whereas usually you'd md5 it in PHP and send it encrypted.

You're also repeating $szUsername in your sprintf arguments, tut tut :P

Seriously though, I don't understand how that method is more secure than the standard approach (assuming you filter and escape data correctly, of course)? Just seems like more work for the same outcome.

Jmz · 10-28-2007, 02:18 PM

lol see what I mean :p

I just want a nice tutorial I can use that will show me how to do a secure login with no problems :D lol.

Jmz · 10-29-2007, 10:39 AM

Anybody lol? :D

Wildhoney · 10-29-2007, 12:09 PM

If you wanted to be really secure then you'd MD5 the password before you sent it to the server using Javascript. Apologies for confusing you JMZ, but I think Daz said he was writing you a little guide :) !

Karl · 10-29-2007, 01:06 PM

Hi Jmz, as a general rule, for a secure application you should always filter input and escape output (you'll hear that tip again and again). Basically, that means that if you're expecting a string from a form, ensure the data you get really is a string. If you're outputting data to a database, make sure you escape it first using mysql_escape_string(). Following these two rules will make your application a lot more secure.

So let's say that you are expecting szUsername and szPassword from $_POST, you could filter these using the built in filter functions:

PHP Code:


			
$aFilterOptions = array
(
    'szEmail'           => FILTER_SANITIZE_EMAIL,
    'szPassword'    => FILTER_SANITIZE_STRING
);

$aFiltered = filter_input_array(INPUT_POST, $aFilterOptions);

Then you simply escape the values before using them in your query, such as:

PHP Code:


			
$szSql = sprint("    SELECT 
                        * 
                    FROM 
                        members 
                    WHERE 
                        username = '%s' AND
                        password = '%s'",
                    mysql_escape_string($aFiltered['szUsername']),    
                    mysql_escape_string($aFiltered['szPassword']))

daz · 10-31-2007, 12:10 PM

Hi Jmz,

Unfortunately I couldn't write a tutorial but you can try this script:

http://www.talkphp.com/showthread.php?p=3536

Tanax · 11-17-2007, 01:09 PM

Quote:

Originally Posted by Karl

Hi Jmz, as a general rule, for a secure application you should always filter input and escape output (you'll hear that tip again and again). Basically, that means that if you're expecting a string from a form, ensure the data you get really is a string. If you're outputting data to a database, make sure you escape it first using mysql_escape_string(). Following these two rules will make your application a lot more secure.

So let's say that you are expecting szUsername and szPassword from $_POST, you could filter these using the built in filter functions:

PHP Code:


			
$aFilterOptions = array

(

    'szEmail'           => FILTER_SANITIZE_EMAIL,

    'szPassword'    => FILTER_SANITIZE_STRING

);



$aFiltered = filter_input_array(INPUT_POST, $aFilterOptions);

Then you simply escape the values before using them in your query, such as:

PHP Code:


			
$szSql = sprint("    SELECT 

                        * 

                    FROM 

                        members 

                    WHERE 

                        username = '%s' AND

                        password = '%s'",

                    mysql_escape_string($aFiltered['szUsername']),    

                    mysql_escape_string($aFiltered['szPassword']))

You didn't use username in the $aFilterOptions.

But anyways, does the fieldname have to the same as the ones used in the array $aFilterOptions ??

So if you have

PHP Code:


			
$aFilterOptions = array(



'email' => blablabla whatever



);

You have to have like this?

HTML Code:

<form action="ble.php" method="POST">
<input type="text" name="email">
</form>

??