Safe PHP password protector software?
Moderator: General Moderators
Safe PHP password protector software?
Hi,
I have created an admin area for my website, I need a php password script that I can rely on.
If anyone manages to hack the password they can totally wreck my website so it is very important that it is very safe.
Does anyone know of a php script I can use for this?
Thanks,
Tom.
I have created an admin area for my website, I need a php password script that I can rely on.
If anyone manages to hack the password they can totally wreck my website so it is very important that it is very safe.
Does anyone know of a php script I can use for this?
Thanks,
Tom.
-
mattpointblank
- Forum Contributor
- Posts: 304
- Joined: Tue Dec 23, 2008 6:29 am
Re: Safe PHP password protector software?
First things first: encrypt the password. Store it in a database somewhere and use an encryption function like md5("password") or sha1("password") which will turn your password into a random string of characters that can't (easily) be reverted back to what it was originally.
To make this extra powerful, you combine it with something known as a 'salt' - think of it almost as a second password, except its one you don't have to set yourself. Say the hacker finds out your password is 'baseball' - he can use the same MD5/SHA1 function to encrypt it and get the same password that's stored in your database. If you store the password along with a salt, it's much harder to hack.
Say for example, your salt is a random word you hardcode into the script, something like:
You could then store both $new_password and $salt in your database. This way the hacker has to figure out the contents of both in order to login, since your password is now both combined. I do it this way then store the $salt in the cookie.
This might not be the best explanation but it's definitely a start.
To make this extra powerful, you combine it with something known as a 'salt' - think of it almost as a second password, except its one you don't have to set yourself. Say the hacker finds out your password is 'baseball' - he can use the same MD5/SHA1 function to encrypt it and get the same password that's stored in your database. If you store the password along with a salt, it's much harder to hack.
Say for example, your salt is a random word you hardcode into the script, something like:
Code: Select all
$password = $_POST['password']; // vulnerable to SQL injection, but works for example purposes
$salt = "put something secret in here, the more complex the better";
$salt = md5($salt);
$new_password = $password . $salt;
This might not be the best explanation but it's definitely a start.
Re: Safe PHP password protector software?
md5 and generally digest only encryption algorithms are one step from impossible to crack, still tough e.g. the string "alex" is always
534b44a19bf18d20b71ecc4eb77c572f when hashed with md5, so if you use regular names for passwords, one could use a md5 dictionary list and do a brute force attack on the site. Rule of the thumb, as long as you use digest-only algorithms and alphanumeric w/ symbols passwords, you will be really secure.
I recently made a login form to use with my sites, it supports multiple accounts, md5 hashing of passwords, stores in cookies so the user can be remembered for a year etc.
This would be your page you wish to protect:
This is the user-login.php
and user-logout.php
to register a user, use this form:
You'll need a mySQL database to hold the passwords and a table named 'users', this is the SQL structure:
Hope this helps, I made those scripts to help me add login to wherever I wanted it to, there are also a couple of scripts for resetting the password and such.
As far as protection goes, I think these scripts are pretty much strong, if you think you found a flaw, report it back please.
534b44a19bf18d20b71ecc4eb77c572f when hashed with md5, so if you use regular names for passwords, one could use a md5 dictionary list and do a brute force attack on the site. Rule of the thumb, as long as you use digest-only algorithms and alphanumeric w/ symbols passwords, you will be really secure.
I recently made a login form to use with my sites, it supports multiple accounts, md5 hashing of passwords, stores in cookies so the user can be remembered for a year etc.
This would be your page you wish to protect:
Code: Select all
<?php
//output buffer start
ob_start();
//connect to database
require_once('database-connect.php');
/* REQUIRE USER LOGIN */
require_once('user-login.php');
/* PROTECTED CONTENT FROM HERE ON */
echo "You are logged in!<br/><a href='user-logout.php'>Logout</a><br/>";
//disconnect from database
mysql_close();
//output buffer end
ob_end_flush();
?>Code: Select all
<?php
//check if cookie has been set on user's machine
if (isset($_COOKIE['username']) && isset($_COOKIE['password']) && isset($_COOKIE['accessid']))
{
//get values from cookies, strip possible html
$username=strip_tags($_COOKIE['username']);
$password=strip_tags($_COOKIE['password']);
$accessid=strip_tags($_COOKIE['accessid']);
//filter values for SQL query
$username=mysql_real_escape_string($username);
$password=mysql_real_escape_string($password);
$accessid=mysql_real_escape_string($accessid);
//search the database for that user
$db_select = " SELECT * FROM users WHERE user_name='$username' AND user_password='$password' AND user_access_id='$accessid'";
$db_fetch = mysql_query($db_select,$db_connection);
while($row = mysql_fetch_array($db_fetch))
{
$get_username=$row['user_name'];
$get_password=$row['user_password'];
$get_accessid=$row['user_access_id'];
}
//check if the values in cookies and database match
if ($get_username==$username && $get_password==$password && $get_accessid==$accessid)
{
//LOGIN SUCCESSFUL - display the rest of the page
}
else
{
//one or more cookies are not valid, have changed or are expired
header('Location: user-logout.php');
exit;
}
}
else
{
//user doesn't have login info in his cookies - proceed to login form
/* CHECK LOGIN */
if ($_GET['action']=='login')
{
//GET form values, strip html
$username=strip_tags($_POST['username']);
$password=strip_tags($_POST['password']);
$password=md5($password);
//small delay
sleep(2);
//filter values for SQL query
$username=mysql_real_escape_string($username);
$password=mysql_real_escape_string($password);
//search user in database
$db_select = " SELECT * FROM users WHERE user_name='$username' AND user_password='$password' ";
$db_fetch = mysql_query($db_select,$db_connection);
while($row = mysql_fetch_array($db_fetch))
{
$get_username=$row['user_name'];
$get_password=$row['user_password'];
$get_access_id=$row['user_access_id'];
$get_account_type=$row['user_account_type'];
}
if ($get_password==$password && $get_username==$username && isset($username) && isset($password))
{
//if the user has set to be remembered store that in a cookie
if ($_POST['remember']==1)
{
setcookie("username", $username, time()+60*60*24*365);
setcookie("password", $password, time()+60*60*24*365);
setcookie("accessid", $get_access_id, time()+60*60*24*365);
echo "Username & Password is correct!<br/>You will be logged in until you choose to logout or clear your browser cookies<br/>";
echo "<a href='index.php'>Reload</a><br/>";
}
else
{
setcookie("username", $username);
setcookie("password", $password);
setcookie("accessid", $get_access_id);
echo "Success: Username & Password is correct!<br/>You will be logged in until you close your browser<br/>";
echo "<a href='index.php'>Reload</a><br/>";
}
}
else
{
/* INCORRECT LOGIN - deny access */
echo "<br/>Error: Incorrect login details!<br/>";
}
}
/* LOGIN FORM */
echo "
<br/>
<b>Login</b>
<br/>
<form id='loginform' name='loginform' method='post' action='index.php?action=login' style='background-color:#999999;padding:3px;width:250px;height:auto'>
<p>
User Name <input name='username' type='text' id='username' />
</p>
<p>
Password <input name='password' type='password' id='password' />
</p>
<p>
<input name='Login' type='submit' id='Login' value='Login' />
</p>
<p><input name='remember' type='checkbox' id='remember' value='1' />
Remember Me</p>
<p><a href='index.php?action=forgotpassword'>Forgot Password</a></p>
</form>
";
exit;
}
?>Code: Select all
<?php
/* LOGOUT USER */
//remove cookies
setcookie("username", "", time()-60*60*24*365);
setcookie("password", "", time()-60*60*24*365);
setcookie("accessid", "", time()-60*60*24*365);
//redirect
header('Location: index.php');
?>Code: Select all
<?php
//disallow direct access
if ('user-register.php' == basename($_SERVER['SCRIPT_FILENAME']))
{echo "Direct Access Denied.";exit;}
/* function email_validate */
function email_validate ($email)
{
if (strlen (trim ($email)))
return (eregi("^[a-z0-9]([_\\.\\-]?[a-z0-9]+)*@((([a-z0-9]+[a-z0-9\\-]*[a\-z0-9]+)|[a-z0-9])+\\.)+[a-z]{2,10}$", $email));
return false;
}
/* REGISTERS A NEW USER */
if ($_GET['user']=='add')
{
//GET form values
$username=$_POST['username'];
$password=$_POST['password'];
$email=$_POST['email'];
$account_type="admin";
//check email address
$email_is_valid=email_validate ($email);
//check form fields
if ($username=='' || $password=='' || $email=='' || $email_is_valid==false)
{
echo "<br/>Error: User could not be registered because all fields need to be complete and email must be valid!<br/>";
}
else
{
//filter values for SQL query
$username=mysql_real_escape_string($username);
$password=mysql_real_escape_string($password);
$email=mysql_real_escape_string($email);
//find if user already exists in database
$db_select = " SELECT * FROM users WHERE user_name='$username' ";
$db_fetch = mysql_query($db_select,$db_connection);
while($row = mysql_fetch_array($db_fetch))
{
$get_username=$row['user_name'];
}
if ($username==$get_username)
{
//error - user already exists
echo "<br/>Error: User could not be registered because the username $username already exists<br/>";
}
else
{
//GET current date
$date_registered=date('Y-m-d h:i:s');
$date_lastlogin=$date_registered;
//generate custom access ID for additional cookie security
$access_id=floor(rand(100000,$access_id));
$access_id=md5($access_id);
//convert password to md5 hash
$password=md5($password);
//insert user to database
$db_insert="
INSERT INTO users
(
user_name,
user_password,
user_email,
user_account_type,
user_access_id,
user_date_registered,
user_date_lastlogin
)
VALUES
(
'$username',
'$password',
'$email',
'$account_type',
'$access_id',
'$date_registered',
'$date_lastlogin'
)";
if (mysql_query($db_insert,$db_connection))
{
//SUCCESS - user was registered
echo "<br/>Registered Successfully!<br/>";
}
else{
mysql_error();
}
}
}
}
/* REGISTRATION FORM */
echo "
<br/><br/>
<b>Register</b>
<br/>
<form id='loginform' name='loginform' method='post' action='index.php?action=register&user=add' style='background-color:#999999;padding:3px;width:250px;height:auto'>
<p>
User Name <input name='username' type='text' id='username' />
</p>
<p>
Password <input name='password' type='password' id='password' />
</p>
<p>
e-mail <input name='email' type='text' id='email' />
</p>
<p>
<input name='register' type='submit' id='Register' value='Register' />
</p>
<a href='index.php'>[Back]</a>
</form>
<br/><br/>
";
exit;
?>Code: Select all
CREATE TABLE IF NOT EXISTS `users` (
`user_id` bigint(20) NOT NULL AUTO_INCREMENT,
`user_name` text NOT NULL,
`user_password` text NOT NULL,
`user_email` text NOT NULL,
`user_account_type` text NOT NULL,
`user_access_id` text NOT NULL,
`user_date_registered` datetime NOT NULL,
`user_date_lastlogin` datetime NOT NULL,
`user_password_reset` text NOT NULL,
PRIMARY KEY (`user_id`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 AUTO_INCREMENT=12 ;As far as protection goes, I think these scripts are pretty much strong, if you think you found a flaw, report it back please.
Last edited by Sindarin on Mon Jun 29, 2009 8:43 pm, edited 1 time in total.
-
mattpointblank
- Forum Contributor
- Posts: 304
- Joined: Tue Dec 23, 2008 6:29 am
Re: Safe PHP password protector software?
I'd avoid storing user details in cookies - also, why set a cookie before they're logged in? You could pass those variables in sessions so nobody could see them.
Re: Safe PHP password protector software?
Thanks for the help everyone, I will have a play around and see what I can come up with! 
Re: Safe PHP password protector software?
The reason I do (and most people do) store user details in cookies is for the "remember me" feature, the password is hashed so it's not retrievable along with another totally random hash. If one of them gets compromised the cookies are useless. However like e.g. Yahoo does, advice is given that the "remember me" feature should not be used when in a public computer as someone could copy your cookie file to gain access from their PC.I'd avoid storing user details in cookies - also, why set a cookie before they're logged in? You could pass those variables in sessions so nobody could see them.
-
mattpointblank
- Forum Contributor
- Posts: 304
- Joined: Tue Dec 23, 2008 6:29 am
Re: Safe PHP password protector software?
I'm not debating using cookies for that feature, but for mine I tend to just store a unique random number which is also stored in the database, so none of the user's info leaves my server.