professional create user script...advice?
Moderator: General Moderators
-
scarface222
- Forum Contributor
- Posts: 354
- Joined: Thu Mar 26, 2009 8:16 pm
professional create user script...advice?
Hey guys I am pretty new to php and need to implicate a create-user script that will be secure and cover all the potential risks and considerations. I can make a shotty script but I was wondering if anyone knew of any good scripts. I have googled for a while and have not come across any good scripts. All of them have security flaws and other problems. Anyone have any advice?
Re: professional create user script...advice?
What in your mind is a create user script? Are you talking about creating a members only section on a website? Do you have mysql installed?
-
scarface222
- Forum Contributor
- Posts: 354
- Joined: Thu Mar 26, 2009 8:16 pm
Re: professional create user script...advice?
Thanks for the reply man. Yeah sorry I am talking about creating a user account through form input and inserting into a database. Just wondering if anyone had ideas on php scripts that would do all the necessary checks and add a certain amount of security when the user enters information for example username and password and has it inserted into mysql.
this is it so far what i have but I do not think it is very good...
this is it so far what i have but I do not think it is very good...
Code: Select all
<?php
if (isset($_POST['username'])){
$username=mysql_real_escape_string($_POST["username"]);
$password=mysql_real_escape_string($_POST["password"]);
$confirm_password=mysql_real_escape_string($_POST["confirm_password"]);
$first_query="SELECT * FROM users WHERE user ='$username'";
$result=mysql_query($first_query) or die('Error, select query failed');
$count=mysql_num_rows($result);
if (empty($password)){
echo 'please fill in all fields';
return;
}
if (empty($username)){
echo 'please fill in all fields';
return;
}
if (empty($confirm_password)){
echo 'please fill in all fields';
return;
}
else if ($count>0){
echo 'user exists';
return;
}
else if ($password!=$confirm_password){
echo 'passwords do not match';
return;
}
if (strlen($username) < 3 || strlen($username) > 10) { // if USERNAME is less than 3 or more than 10...
echo "Your username is less than 3 or more than 10!";
return; //stop here if username is less than 3 or more than 10
}
if (strlen($password) < 3 || strlen($password) > 10) { // if PASSWORD is less than 3 or more than 10...
echo "Your password is less than 3 or more than 10!";
return;
}
else{
$second_query = "INSERT INTO users (user,password) VALUES ('$username', '$password')";
mysql_query($second_query) or die('Error, insert query failed');
}Re: professional create user script...advice?
Perhaps this is better asked on the php security forum.
I can suggest you filter the input fields for non-ascii characters so someone doesn't inject crap into your database. See http://www.metatitan.com/php/16/protect ... ction.html
Also add trim($input) to what you are reading from the form to remove any accidental trailing spaces which really screw up users.
some people like to encrypt the passwords immediately before storing them. That way if your database gets hacked they can't get the passwords. The downside is that if a users forgets the password it can't be recovered, only reset. See jatat_k example http://www.webmasterworld.com/forum88/4590.htm
Depending on what type of data you are handling you might need to be using https and security certificates to prevent session hijacks.
You can also add some hidden features like logging the ip's and number of successful logins and failed logins to monitor for a brute force attack on a specific account or multiple attempts on multiple accounts from the same ip.
I can suggest you filter the input fields for non-ascii characters so someone doesn't inject crap into your database. See http://www.metatitan.com/php/16/protect ... ction.html
Also add trim($input) to what you are reading from the form to remove any accidental trailing spaces which really screw up users.
some people like to encrypt the passwords immediately before storing them. That way if your database gets hacked they can't get the passwords. The downside is that if a users forgets the password it can't be recovered, only reset. See jatat_k example http://www.webmasterworld.com/forum88/4590.htm
Depending on what type of data you are handling you might need to be using https and security certificates to prevent session hijacks.
You can also add some hidden features like logging the ip's and number of successful logins and failed logins to monitor for a brute force attack on a specific account or multiple attempts on multiple accounts from the same ip.
-
scarface222
- Forum Contributor
- Posts: 354
- Joined: Thu Mar 26, 2009 8:16 pm
Re: professional create user script...advice?
thanks alot dude, just curious about injection attacks, I already used mysql_real_escape_string on the input variables, is that what you meant?
-
scarface222
- Forum Contributor
- Posts: 354
- Joined: Thu Mar 26, 2009 8:16 pm
Re: professional create user script...advice?
also for encrypting the passwords say with md5... a long algorithm gets entered into the database. Can the user still enter their password and have it match with the database?
Re: professional create user script...advice?
You have to run it through the same process.
plain text -> encrypt -> now compare to stored encrypted string.
This will protect your database passwords, however without https the plain text password can be sniffed as it is entered iinto your form.
plain text -> encrypt -> now compare to stored encrypted string.
This will protect your database passwords, however without https the plain text password can be sniffed as it is entered iinto your form.