Secure log in script with php

[emm]

This article describes how to create a secure PHP login script with a mysql database that will allow safe authentication. Uses session management Features remember-me function using cookies, validates logins on each request to prevent session stealing.

[http://www.devshed.com/c/a/]
PHP/Creating-a-Secure-PHP-Login-Script/

It uses IP check to eliminate common hacking attempt at the script.
_________________
“You might say reality is the result of complex negotiations between the observer and the observed. But that is simply a point of view…”
Digital Bangladesh

[quantum]

That's really kool man. All of us php programmers need a log in script at some point in programming life. In a similar topic one may want to check out this article too.

[http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes]

Quote:

The purpose of this document is to inform PHP programmers of common security mistakes that can be overlooked in PHP scripts. While many of the following concepts may appear to be common sense, they are unfortunately not always common practice. After applying the following practices to your coding, you will be able to eliminate the vast majority of security holes that plague many scripts. Many of these security holes have been found in widely-used open source and commercial PHP scripts in the past.

The main points are:

1. Never use include/require from a user input without properly and thoroughly checking the conditions.

2. Placing user-inputted values into the eval() function can be extremely dangerous. You essentially give the malicious user the ability to execute any command he or she wishes! So be careful with eval()

3. Be careful when using register_globals = ON
This has been a major issue since this feature was invented. It was originally designed to make programming in PHP easier (and that it did), but misuse of it often led to security holes.

4. And Never run unescaped queries
_________________

Dust fills my eyes / Clouds roll by / and I roll with them / Centuries cry / Orders fly / and I fall again
Afford best design, implement best solution. Outsource your web design.

[emm]

Thanks for the additional tips. Should come in handy.
_________________
“You might say reality is the result of complex negotiations between the observer and the observed. But that is simply a point of view…”
Digital Bangladesh

[quantum]

A few more things I learned to increase the security of your php pages.

Php is processed on the server before anything is sent to the browser. Because of this, no php is sent to the browser, only the html output produced by the script.

So don't leave off your opening and closing php tags, and your code is safe from surfers.

Also, a good idea is to put your connect info in a connect.inc file and include it at the beginning, so that if the php server does fail and people can look at your code in raw form then they can't see your info.

Add this to your index and admin pages (just the main pages)

Quote:

$queryString = strtolower($_SERVER['QUERY_STRING']); if (strstr($queryString,'%20union%20') OR strstr($queryString,'/*')) { header("Location: index.php"); die(); }

Add this to your included files:

Quote:

if (eregi("THISFILENAME.inc", $_SERVER['SCRIPT_NAME'])) { Header("Location: ../relative/path/to/index.php"); die(); }

_________________

Dust fills my eyes / Clouds roll by / and I roll with them / Centuries cry / Orders fly / and I fall again
Afford best design, implement best solution. Outsource your web design.

[lamdude]

Hi all!
I have Invision power board forum...and can someone tell me how to edit my files..i guess index.php and admin.php to stop and log GET requests with word like "union" "select" "%" "ibf_members" and etc..i want to log IP and the GET request in some file like hackattempts.log...
10x!

PS:Sorry about my bad english..