PHP & MySQL site login, security concepts
Posted: Sun Feb 15, 2009 8:55 pm
Hi everyone
I've been using/learning PHP and MySQL for 2/3 years now, but I've never had to create a login system before. Now's the time
I've been reading up on a whole bunch of stuff and here's a very very simple framework I found... http://insanesecurity.wordpress.com/200 ... in-script/
I won't be using the obfuscated MySQL table/column names.
But it seems the main things to consider are that you should hash the password ASAP, and store it hashed in the DB.
Escape all data, both incoming and outgoing... which I do anyway.
Then on every page of the site, I will require() a file auth.php, which will have the code checking whether a session variable has been set which indicates whether the user is logged in or not.
But that all seems quite simple really, not much PHP code needed.
Are there any other best-practice pointers I should do to ensure maximum security?
Thanks, B
I've been using/learning PHP and MySQL for 2/3 years now, but I've never had to create a login system before. Now's the time
I've been reading up on a whole bunch of stuff and here's a very very simple framework I found... http://insanesecurity.wordpress.com/200 ... in-script/
I won't be using the obfuscated MySQL table/column names.
But it seems the main things to consider are that you should hash the password ASAP, and store it hashed in the DB.
Escape all data, both incoming and outgoing... which I do anyway.
Then on every page of the site, I will require() a file auth.php, which will have the code checking whether a session variable has been set which indicates whether the user is logged in or not.
But that all seems quite simple really, not much PHP code needed.
Are there any other best-practice pointers I should do to ensure maximum security?
Thanks, B