Page 1 of 1

Secure PHP Login

Posted: Fri Mar 04, 2011 1:55 pm
by psykahtik
I have a simple php admin login script, which looks something like this:

Code: Select all

<?php

if(isset($_POST['submit'])){

$user = $_POST['user'];
$pass = $_POST['pass'];
if($user == "admin" && $pass == "123456"){

Show admin page.

}else{

Incorrect login info.

}
}else{

Show login form.

}

?>
I just typed that up very quickly, so if its not perfect, you get the idea.

How can I make a more secure login...I DO NOT want to use MYSQL. What's the best way to create a secure login using just PHP?

I have searched around, but there are so many different ideas I dont know which is most effective.

Its not a bank, so I dont need anything crazy, but its not a personal website...something in between would work.

Thanks!

Re: Secure PHP Login

Posted: Fri Mar 04, 2011 4:28 pm
by califdon
Are you planning to have multiple users, each with their own password? If you don't want to use MySQL, how are you planning to store the user/passwords? You may want to consider using SQLite http://www.sqlite.org/, which is built-in to PHP5 http://us3.php.net/manual/en/book.sqlite.php. You would no doubt want to use PHP session variables so that you protect subsequent pages without requiring a login for each page. You might want to use hash() or MD5() encryptions of passwords so the plaintext passwords are not stored anywhere on your site.

Re: Secure PHP Login

Posted: Sat Mar 05, 2011 1:58 pm
by psykahtik
No, just for one user. An admin to login, thats it

Re: Secure PHP Login

Posted: Sat Mar 05, 2011 2:07 pm
by Apollo
Instead of using

Code: Select all

if ($pass=="xxx") ...
use something like

Code: Select all

$crc = hash('sha512',$pass.$salt); // assuming your PHP installation supports sha512, otherwise use whirlpool, sha384, or sha256
if ($crc=="yyy") ...
where "yyy" is the SHA512 hash of your password, and $salt is a string containing crap (like "nB_w%tz7/2Xy!iU^H7qO(ap" or something) to avoid rainbow table attacks.

And use sessions to remember a user being logged in.

Re: Secure PHP Login

Posted: Mon Mar 07, 2011 3:40 am
by moinshaikh
I Know you don't want to use MySQL, but using mysql with mysql injection will make your admin panel much more secured...beyond imagination.

Re: Secure PHP Login

Posted: Mon Mar 07, 2011 4:54 am
by Apollo
moinshaikh wrote:I Know you don't want to use MySQL, but using mysql with mysql injection will make your admin panel much more secured...beyond imagination.
How is that, if he only needs one login? (admin)