Secure PHP Login

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
psykahtik
Forum Newbie
Posts: 4
Joined: Fri Mar 04, 2011 1:47 pm

Secure PHP Login

Post by psykahtik »

I have a simple php admin login script, which looks something like this:

Code: Select all

<?php

if(isset($_POST['submit'])){

$user = $_POST['user'];
$pass = $_POST['pass'];
if($user == "admin" && $pass == "123456"){

Show admin page.

}else{

Incorrect login info.

}
}else{

Show login form.

}

?>
I just typed that up very quickly, so if its not perfect, you get the idea.

How can I make a more secure login...I DO NOT want to use MYSQL. What's the best way to create a secure login using just PHP?

I have searched around, but there are so many different ideas I dont know which is most effective.

Its not a bank, so I dont need anything crazy, but its not a personal website...something in between would work.

Thanks!
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: Secure PHP Login

Post by califdon »

Are you planning to have multiple users, each with their own password? If you don't want to use MySQL, how are you planning to store the user/passwords? You may want to consider using SQLite http://www.sqlite.org/, which is built-in to PHP5 http://us3.php.net/manual/en/book.sqlite.php. You would no doubt want to use PHP session variables so that you protect subsequent pages without requiring a login for each page. You might want to use hash() or MD5() encryptions of passwords so the plaintext passwords are not stored anywhere on your site.
psykahtik
Forum Newbie
Posts: 4
Joined: Fri Mar 04, 2011 1:47 pm

Re: Secure PHP Login

Post by psykahtik »

No, just for one user. An admin to login, thats it
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Secure PHP Login

Post by Apollo »

Instead of using

Code: Select all

if ($pass=="xxx") ...
use something like

Code: Select all

$crc = hash('sha512',$pass.$salt); // assuming your PHP installation supports sha512, otherwise use whirlpool, sha384, or sha256
if ($crc=="yyy") ...
where "yyy" is the SHA512 hash of your password, and $salt is a string containing crap (like "nB_w%tz7/2Xy!iU^H7qO(ap" or something) to avoid rainbow table attacks.

And use sessions to remember a user being logged in.
moinshaikh
Forum Commoner
Posts: 27
Joined: Tue Jan 18, 2011 3:40 am
Location: India

Re: Secure PHP Login

Post by moinshaikh »

I Know you don't want to use MySQL, but using mysql with mysql injection will make your admin panel much more secured...beyond imagination.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Secure PHP Login

Post by Apollo »

moinshaikh wrote:I Know you don't want to use MySQL, but using mysql with mysql injection will make your admin panel much more secured...beyond imagination.
How is that, if he only needs one login? (admin)
Post Reply