Hi,
I am newbie here and in php as well. I need a secure php/mysql based user authentication system (not the basic ones).I googled a lot but found none suitable with all the securities like preventing sql-injection, well encrypted password, captcha etc.
Please suggest me some secure and reliable php/mysql based user authentication frameworks or systems. It would be better if that is opensource.
Thanks in advance.
php/mysql based secure user authentication?
Moderator: General Moderators
Re: php/mysql based secure user authentication?
Well if u are a php newbie i recommend you to learn it well first... Then phpbb3 can u give a guide... u can take a look at its code and see how it works 
hope it helps
hope it helps
Re: php/mysql based secure user authentication?
Hi,
Thanks a lot for your reply. I have understood the basic steps of login , session, logout etc. I have downloaded phpbb3, but it's huge.
Are you sure it's security is better than any other stand alone user authentication system?
Which parts exactly I need to extract from phpbb3?
I was wondering how people work on the user authenticaiton system. Do they all write their own system manually? Or do they use any proved and secured authenticaiton sysem?
Please help me in this issue. Thanks a lot.
Thanks a lot for your reply. I have understood the basic steps of login , session, logout etc. I have downloaded phpbb3, but it's huge.
Are you sure it's security is better than any other stand alone user authentication system?
Which parts exactly I need to extract from phpbb3?
I was wondering how people work on the user authenticaiton system. Do they all write their own system manually? Or do they use any proved and secured authenticaiton sysem?
Please help me in this issue. Thanks a lot.
Re: php/mysql based secure user authentication?
Developing a "secure" website involves more than just your login/authentication system. Whether writing your own system or assembling one with components taken from a code library, you should develop an understanding of the key concepts.
This might be a good place to start:
http://phpsec.org/projects/guide/
This might be a good place to start:
http://phpsec.org/projects/guide/
Re: php/mysql based secure user authentication?
Thanks a lot for the security guide. That is really helpful to understand the security issues.
However I need any existing open source based user management system. Please advise me some open source user management system.
Thank you.
However I need any existing open source based user management system. Please advise me some open source user management system.
Thank you.
Re: php/mysql based secure user authentication?
There are a lot of authentication scripts floating around the place. Some good, some bad.
But I cant really recommend to you because I cant recommend that you (or anyone really) use one. Unless you really 'understand' the concepts and coding for such an important part of your site, you're just saying "well, I'll just trust my site's security to someone who I know nothing about. Surely I can trust this person, even though I have no clue as whether this person has any knowledge whatsoever about creating a secure environment".
I mean ... it's scary stuff. And a one-size-fits-all open source kit? I'm sure one exists, but I wouldn't use it purely because the more people who use it, the more people who'll be trying to break it. The more people trying , the more exploits found. And suddenly there are hundreds of people out there looking for out of date versions of the system they have a definite exploit for.
But you can find a good system out there. But here's the catch. You need to be able to KNOW how it's working ... what it's doing and how it's doing it ... in order to tell if it's the correct fit for you. And even then, if you understand what you're doing, and you find a nice piece of code, you're going to want to be familiar enough with it to jump in and make an emergency change at the drop of a hat. It's such a bad idea to have a 'black box' security system that I cant even express how bad an idea it is. ('black box' meaning that it's just a thing .. you don't know how it works, you're just told that it does)
Do your research. Find out the vulnerabilities and the methods used to mitigate these. Then you can start looking for pre-written code, though to be honest ... if you go that far you might as well write your own.
Also ...
Sorry to be so blunt.
Cheers
But I cant really recommend to you because I cant recommend that you (or anyone really) use one. Unless you really 'understand' the concepts and coding for such an important part of your site, you're just saying "well, I'll just trust my site's security to someone who I know nothing about. Surely I can trust this person, even though I have no clue as whether this person has any knowledge whatsoever about creating a secure environment".
I mean ... it's scary stuff. And a one-size-fits-all open source kit? I'm sure one exists, but I wouldn't use it purely because the more people who use it, the more people who'll be trying to break it. The more people trying , the more exploits found. And suddenly there are hundreds of people out there looking for out of date versions of the system they have a definite exploit for.
But you can find a good system out there. But here's the catch. You need to be able to KNOW how it's working ... what it's doing and how it's doing it ... in order to tell if it's the correct fit for you. And even then, if you understand what you're doing, and you find a nice piece of code, you're going to want to be familiar enough with it to jump in and make an emergency change at the drop of a hat. It's such a bad idea to have a 'black box' security system that I cant even express how bad an idea it is. ('black box' meaning that it's just a thing .. you don't know how it works, you're just told that it does)
Do your research. Find out the vulnerabilities and the methods used to mitigate these. Then you can start looking for pre-written code, though to be honest ... if you go that far you might as well write your own.
Also ...
... Truer words have never been spoken.André D wrote:Developing a "secure" website involves more than just your login/authentication system.
Sorry to be so blunt.
Cheers
Re: php/mysql based secure user authentication?
Hi,
Thanks for your invaluable suggestion. I now understand why there is no standard of any user management system.
Can you at least refer me some good (no need to be 100% secured) user management systems (from simple to complex) so that I work on those and build my one? It will be really helpful.
Thanks.
Thanks for your invaluable suggestion. I now understand why there is no standard of any user management system.
Can you at least refer me some good (no need to be 100% secured) user management systems (from simple to complex) so that I work on those and build my one? It will be really helpful.
Thanks.