md5 and generally digest only encryption algorithms are one step from impossible to crack, still tough e.g. the string "alex" is always
534b44a19bf18d20b71ecc4eb77c572f when hashed with md5, so if you use regular names for passwords, one could use a md5 dictionary list and do a brute force attack on the site. Rule of the thumb, as long as you use digest-only algorithms and alphanumeric w/ symbols passwords, you will be really secure.
I recently made a login form to use with my sites, it supports multiple accounts, md5 hashing of passwords, stores in cookies so the user can be remembered for a year etc.
This would be your page you wish to protect:
Code: Select all
<?php
//output buffer start
ob_start();
//connect to database
require_once('database-connect.php');
/* REQUIRE USER LOGIN */
require_once('user-login.php');
/* PROTECTED CONTENT FROM HERE ON */
echo "You are logged in!<br/><a href='user-logout.php'>Logout</a><br/>";
//disconnect from database
mysql_close();
//output buffer end
ob_end_flush();
?>
This is the user-login.php
Code: Select all
<?php
//check if cookie has been set on user's machine
if (isset($_COOKIE['username']) && isset($_COOKIE['password']) && isset($_COOKIE['accessid']))
{
//get values from cookies, strip possible html
$username=strip_tags($_COOKIE['username']);
$password=strip_tags($_COOKIE['password']);
$accessid=strip_tags($_COOKIE['accessid']);
//filter values for SQL query
$username=mysql_real_escape_string($username);
$password=mysql_real_escape_string($password);
$accessid=mysql_real_escape_string($accessid);
//search the database for that user
$db_select = " SELECT * FROM users WHERE user_name='$username' AND user_password='$password' AND user_access_id='$accessid'";
$db_fetch = mysql_query($db_select,$db_connection);
while($row = mysql_fetch_array($db_fetch))
{
$get_username=$row['user_name'];
$get_password=$row['user_password'];
$get_accessid=$row['user_access_id'];
}
//check if the values in cookies and database match
if ($get_username==$username && $get_password==$password && $get_accessid==$accessid)
{
//LOGIN SUCCESSFUL - display the rest of the page
}
else
{
//one or more cookies are not valid, have changed or are expired
header('Location: user-logout.php');
exit;
}
}
else
{
//user doesn't have login info in his cookies - proceed to login form
/* CHECK LOGIN */
if ($_GET['action']=='login')
{
//GET form values, strip html
$username=strip_tags($_POST['username']);
$password=strip_tags($_POST['password']);
$password=md5($password);
//small delay
sleep(2);
//filter values for SQL query
$username=mysql_real_escape_string($username);
$password=mysql_real_escape_string($password);
//search user in database
$db_select = " SELECT * FROM users WHERE user_name='$username' AND user_password='$password' ";
$db_fetch = mysql_query($db_select,$db_connection);
while($row = mysql_fetch_array($db_fetch))
{
$get_username=$row['user_name'];
$get_password=$row['user_password'];
$get_access_id=$row['user_access_id'];
$get_account_type=$row['user_account_type'];
}
if ($get_password==$password && $get_username==$username && isset($username) && isset($password))
{
//if the user has set to be remembered store that in a cookie
if ($_POST['remember']==1)
{
setcookie("username", $username, time()+60*60*24*365);
setcookie("password", $password, time()+60*60*24*365);
setcookie("accessid", $get_access_id, time()+60*60*24*365);
echo "Username & Password is correct!<br/>You will be logged in until you choose to logout or clear your browser cookies<br/>";
echo "<a href='index.php'>Reload</a><br/>";
}
else
{
setcookie("username", $username);
setcookie("password", $password);
setcookie("accessid", $get_access_id);
echo "Success: Username & Password is correct!<br/>You will be logged in until you close your browser<br/>";
echo "<a href='index.php'>Reload</a><br/>";
}
}
else
{
/* INCORRECT LOGIN - deny access */
echo "<br/>Error: Incorrect login details!<br/>";
}
}
/* LOGIN FORM */
echo "
<br/>
<b>Login</b>
<br/>
<form id='loginform' name='loginform' method='post' action='index.php?action=login' style='background-color:#999999;padding:3px;width:250px;height:auto'>
<p>
User Name <input name='username' type='text' id='username' />
</p>
<p>
Password <input name='password' type='password' id='password' />
</p>
<p>
<input name='Login' type='submit' id='Login' value='Login' />
</p>
<p><input name='remember' type='checkbox' id='remember' value='1' />
Remember Me</p>
<p><a href='index.php?action=forgotpassword'>Forgot Password</a></p>
</form>
";
exit;
}
?>
and user-logout.php
Code: Select all
<?php
/* LOGOUT USER */
//remove cookies
setcookie("username", "", time()-60*60*24*365);
setcookie("password", "", time()-60*60*24*365);
setcookie("accessid", "", time()-60*60*24*365);
//redirect
header('Location: index.php');
?>
to register a user, use this form:
Code: Select all
<?php
//disallow direct access
if ('user-register.php' == basename($_SERVER['SCRIPT_FILENAME']))
{echo "Direct Access Denied.";exit;}
/* function email_validate */
function email_validate ($email)
{
if (strlen (trim ($email)))
return (eregi("^[a-z0-9]([_\\.\\-]?[a-z0-9]+)*@((([a-z0-9]+[a-z0-9\\-]*[a\-z0-9]+)|[a-z0-9])+\\.)+[a-z]{2,10}$", $email));
return false;
}
/* REGISTERS A NEW USER */
if ($_GET['user']=='add')
{
//GET form values
$username=$_POST['username'];
$password=$_POST['password'];
$email=$_POST['email'];
$account_type="admin";
//check email address
$email_is_valid=email_validate ($email);
//check form fields
if ($username=='' || $password=='' || $email=='' || $email_is_valid==false)
{
echo "<br/>Error: User could not be registered because all fields need to be complete and email must be valid!<br/>";
}
else
{
//filter values for SQL query
$username=mysql_real_escape_string($username);
$password=mysql_real_escape_string($password);
$email=mysql_real_escape_string($email);
//find if user already exists in database
$db_select = " SELECT * FROM users WHERE user_name='$username' ";
$db_fetch = mysql_query($db_select,$db_connection);
while($row = mysql_fetch_array($db_fetch))
{
$get_username=$row['user_name'];
}
if ($username==$get_username)
{
//error - user already exists
echo "<br/>Error: User could not be registered because the username $username already exists<br/>";
}
else
{
//GET current date
$date_registered=date('Y-m-d h:i:s');
$date_lastlogin=$date_registered;
//generate custom access ID for additional cookie security
$access_id=floor(rand(100000,$access_id));
$access_id=md5($access_id);
//convert password to md5 hash
$password=md5($password);
//insert user to database
$db_insert="
INSERT INTO users
(
user_name,
user_password,
user_email,
user_account_type,
user_access_id,
user_date_registered,
user_date_lastlogin
)
VALUES
(
'$username',
'$password',
'$email',
'$account_type',
'$access_id',
'$date_registered',
'$date_lastlogin'
)";
if (mysql_query($db_insert,$db_connection))
{
//SUCCESS - user was registered
echo "<br/>Registered Successfully!<br/>";
}
else{
mysql_error();
}
}
}
}
/* REGISTRATION FORM */
echo "
<br/><br/>
<b>Register</b>
<br/>
<form id='loginform' name='loginform' method='post' action='index.php?action=register&user=add' style='background-color:#999999;padding:3px;width:250px;height:auto'>
<p>
User Name <input name='username' type='text' id='username' />
</p>
<p>
Password <input name='password' type='password' id='password' />
</p>
<p>
e-mail <input name='email' type='text' id='email' />
</p>
<p>
<input name='register' type='submit' id='Register' value='Register' />
</p>
<a href='index.php'>[Back]</a>
</form>
<br/><br/>
";
exit;
?>
You'll need a mySQL database to hold the passwords and a table named 'users', this is the SQL structure:
Code: Select all
CREATE TABLE IF NOT EXISTS `users` (
`user_id` bigint(20) NOT NULL AUTO_INCREMENT,
`user_name` text NOT NULL,
`user_password` text NOT NULL,
`user_email` text NOT NULL,
`user_account_type` text NOT NULL,
`user_access_id` text NOT NULL,
`user_date_registered` datetime NOT NULL,
`user_date_lastlogin` datetime NOT NULL,
`user_password_reset` text NOT NULL,
PRIMARY KEY (`user_id`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 AUTO_INCREMENT=12 ;
Hope this helps, I made those scripts to help me add login to wherever I wanted it to, there are also a couple of scripts for resetting the password and such.
As far as protection goes, I think these scripts are pretty much strong, if you think you found a flaw, report it back please.