7 Replies - 942 Views - Last Post: 30 October 2011 - 01:44 AM Rate Topic: -----

#1 serunox  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 10
  • Joined: 01-September 11

Question on login security with php and mysql

Posted 16 October 2011 - 11:52 PM

I hope this is in the right place,its got to do with php and mysql.A little background quickly.
For my next assignment I need to create a website that requires users to register and login.I have a database with users, products, purchases etc. At the moment I have my users' login details in a table and the passwords are encrypted.

Currently, my script takes the entered details for the login and compares it to the stored details.If a match is found a session is created and the user is logged in.If not, I redirect the user to the login page again.I'll also use the users details to look for any purchases the user made and provide a checkout function to buy products.

My question is, what is a good way for this login scenario?

Use it like I do now, or use .htaccess for the site?

I wont have access to the server itself so Id need to use .htaccess and not httpd.conf.

Or place the database in a password protected area with just me and lets say "admin" to access the database itself to ensure that someone doesnt get the password file, and then use the login script Im currently using?

Hope you all understand what Im trying to say,if not let me know and Ill try again.

Is This A Good Question/Topic? 0
  • +

Replies To: Question on login security with php and mysql

#2 macosxnerd101  Icon User is online

  • Self-Trained Economist
  • member icon




Reputation: 10469
  • View blog
  • Posts: 38,802
  • Joined: 27-December 08

Re: Question on login security with php and mysql

Posted 17 October 2011 - 06:30 AM

Rather than encrypting the passwords, you should hash and salt them. Encryption works both ways. Hashes are one way only, so they cannot be decrypted. Also, you should set up an account on the database with limited access for PHP to access. Other than that, it sounds good to me.
Was This Post Helpful? 1
  • +
  • -

#3 CTphpnwb  Icon User is online

  • D.I.C Lover
  • member icon

Reputation: 2934
  • View blog
  • Posts: 10,147
  • Joined: 08-August 08

Re: Question on login security with php and mysql

Posted 17 October 2011 - 06:48 AM

When I think of all the sites that redirect users right back to the same site I'm amazed that the web isn't slower than it is.

Why tell the client's browser to go to another page on your site? That requires bandwidth in both directions:
  • Server talks to client.
  • Client requests another page.


Your script is already running and hasn't sent anything to the browser, so why do that when you can simply load the login page with an include?
Was This Post Helpful? 1
  • +
  • -

#4 serunox  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 10
  • Joined: 01-September 11

Re: Question on login security with php and mysql

Posted 17 October 2011 - 12:49 PM

@macosxnerd101: Thanks for that, what encryption method would you use to hash the password?Im currently using MD5 on just the password.And what would use for the account for the database, .htaccess?

@CTphpnwb: never thought about the include.My lecturer recommended redirecting using headers and exit if the user entered the wrong details.I have my login script in a separate file, would it be better to put it in the page itself?
Was This Post Helpful? 0
  • +
  • -

#5 CTphpnwb  Icon User is online

  • D.I.C Lover
  • member icon

Reputation: 2934
  • View blog
  • Posts: 10,147
  • Joined: 08-August 08

Re: Question on login security with php and mysql

Posted 17 October 2011 - 01:12 PM

Files are not pages and pages are not files. The purpose of PHP is to make dynamic pages. That means that the page can change based on user inputs. So if a user doesn't input the correct user name and password you can simply include code that brings up the login page. No need to redirect to it.
if(!$loggedin) {
  include "login.php";
  exit;
}

Was This Post Helpful? 0
  • +
  • -

#6 serunox  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 10
  • Joined: 01-September 11

Re: Question on login security with php and mysql

Posted 17 October 2011 - 01:23 PM

View PostCTphpnwb, on 17 October 2011 - 01:12 PM, said:

Files are not pages and pages are not files. The purpose of PHP is to make dynamic pages. That means that the page can change based on user inputs. So if a user doesn't input the correct user name and password you can simply include code that brings up the login page. No need to redirect to it.

I realize that.How I made the login,the form lets say login.html calls the logIn.php file with the functions in.From there I redirect to the next part for logged in users.

Would it be better to just include the login script in the main login page and use $_SERVER['PHP_SELF'] ?
Was This Post Helpful? 0
  • +
  • -

#7 CTphpnwb  Icon User is online

  • D.I.C Lover
  • member icon

Reputation: 2934
  • View blog
  • Posts: 10,147
  • Joined: 08-August 08

Re: Question on login security with php and mysql

Posted 17 October 2011 - 01:52 PM

login.html does nothing on the server but sit there waiting to be sent to the client. It calls nothing. If you don't get the order of operations straight you're going to have many, more difficult problems.
  • User takes an action.
  • Browser sends a request.
  • Server runs a script.
  • Script send HTML to browser.
  • Browser renders HTML (no PHP involved at this point.)
  • Go to step 1.


What you're trying to do:
  • User takes an action.
  • Browser sends a request.
  • Server sends PHP script and HTML to browser. <- Browsers can run Javascript, not PHP
  • Browser renders HTML with PHP. <- :crazy:
  • Go to step 1.

This post has been edited by CTphpnwb: 17 October 2011 - 05:02 PM
Reason for edit:: spelling. :(

Was This Post Helpful? 1
  • +
  • -

#8 serunox  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 10
  • Joined: 01-September 11

Re: Question on login security with php and mysql

Posted 30 October 2011 - 01:44 AM

View PostCTphpnwb, on 17 October 2011 - 01:52 PM, said:

login.html does nothing on the server but sit there waiting to be sent to the client. It calls nothing. If you don't get the order of operations straight you're going to have many, more difficult problems.
  • User takes an action.
  • Browser sends a request.
  • Server runs a script.
  • Script send HTML to browser.
  • Browser renders HTML (no PHP involved at this point.)
  • Go to step 1.


What you're trying to do:
  • User takes an action.
  • Browser sends a request.
  • Server sends PHP script and HTML to browser. <- Browsers can run Javascript, not PHP
  • Browser renders HTML with PHP. <- :crazy:
  • Go to step 1.

Thanks for that.I'll have a look at it.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1