Server Help Forum Index Server Help
Community forums for Subgame, ASSS, and bots
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   StatisticsStatistics   RegisterRegister 
 ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin (SSL) 

Server Help | ASSS Wiki (0) | Shanky.com
[PHP] User Authentication Methods

 
Post new topic   Reply to topic Printable version
 View previous topic  java VS c++ Post :: Post c switch problem  View next topic  
Author Message
Synook
Newbie


Joined: Apr 27 2007
Posts: 3
Offline

PostPosted: Fri Apr 27, 2007 6:53 am    Post subject: [PHP] User Authentication Methods Reply to topic Reply with quote

Hello all,

If you have any ideas for a PHP script to authenticate users, where the user data is extracted from a MySQL database table with the passwords hashed using md5(), please post it here. I need some ideas for my new CMS - PageSquid - as version 0.4 will have multiple users.

I have a method, but I am sure it is horribly insecure icon_sad.gif so I won't post it here icon_smile.gif ...

Thanks. I'm sure we will be able to come up with a solution together.

P.S. I know could have used the Tracker on SourceForge, but it seems horribly slow to get responses icon_cry.gif
_________________
Back to top
View users profile Send private message Add User to Ignore List Visit posters website
CypherJF
I gargle nitroglycerin


Gender:Gender:Male
Joined: Aug 14 2003
Posts: 2582
Location: USA
Offline

PostPosted: Fri Apr 27, 2007 7:15 am    Post subject: Reply to topic Reply with quote

Best way to secure passwords would be to use a 1-way crypting algorithm; make sure you use a unique salt value.

If you do use md5, don't use it alone as it's pretty susceptible to dictionary attacks. You'd want to hash it with something (Bl#!@#<password>#%)^^%); better yet, crypt() it, then md5 the results?
_________________
Performance is often the art of cheating carefully. - James Gosling
Back to top
View users profile Send private message Add User to Ignore List
Synook
Newbie


Joined: Apr 27 2007
Posts: 3
Offline

PostPosted: Fri Apr 27, 2007 8:24 am    Post subject: Reply to topic Reply with quote

Uh... but what I am thinking of is a way to authenticate users as they log in -as in they enter their username and password, and click "log in". Then, how do we make sure that they are who they seem. The obvious way is to just query the database for the user's record using their username, and compare the hashed password to the one in the database. But how secure is this, and is there a better way?
Back to top
View users profile Send private message Add User to Ignore List Visit posters website
k0zy
Server Help Squatter


Gender:Gender:Male
Joined: Jan 11 2003
Posts: 571
Location: Germany
Offline

PostPosted: Fri Apr 27, 2007 1:40 pm    Post subject: Reply to topic Reply with quote

What CypherJF said.

Also, make sure to mysql_escape_string the data the users enter and that register_globals ist turned off.

Best way would probably to fetch the password for the given user and then compare it against the entered one in php.

And make sure you're error message on a failed login is "user not found or wrong password".
_________________
It's a shark! Oh my god! Unbelievable!
Back to top
View users profile Send private message Add User to Ignore List
CypherJF
I gargle nitroglycerin


Gender:Gender:Male
Joined: Aug 14 2003
Posts: 2582
Location: USA
Offline

PostPosted: Fri Apr 27, 2007 5:12 pm    Post subject: Reply to topic Reply with quote

Also, don't send passwords plain-text over a MySQL query; it can easily be sniffed on a network.
Back to top
View users profile Send private message Add User to Ignore List
Mine GO BOOM
Hunch Hunch
What What
Hunch Hunch<br>What What


Age:40
Gender:Gender:Male
Joined: Aug 01 2002
Posts: 3614
Location: Las Vegas
Offline

PostPosted: Fri Apr 27, 2007 8:42 pm    Post subject: Reply to topic Reply with quote

CypherJF wrote:
Also, don't send passwords plain-text over a MySQL query; it can easily be sniffed on a network.

And HTTP is much better (he never said https anywhere)? Most MySQL connections are localhost (goes through unix socket, never touches a network) or a local networked machine, which hits through one of two switches in the datacenter. Most people who have more than one machine in a datacenter generally have their own switches and just setup their own VLAN. Thus, security here is a mute point.

A pretty secure, but lazy, salted password method would be a table with a password column of char(40), a salt column of whatever size you want, and in your select statement to validate your user, throw this into your where clause:
Code: Show/Hide
SELECT *
FROM user_table
WHERE username = "$username"
AND password = sha("$password" + salt + "some random constant string")

You don't even need to do the hashing in php. Sure, you could just return the row back, and then do the security check in php, but your SQL database can do it faster and you can cut back on what you return. The constant string is extra protection, where if someone gets your database but not your source code, it helps protect a bit more. It doesn't cost much more processor time.

As noted above, protect your user supplied strings with mysql_real_escape_string.
Back to top
View users profile Send private message Add User to Ignore List Send email
CypherJF
I gargle nitroglycerin


Gender:Gender:Male
Joined: Aug 14 2003
Posts: 2582
Location: USA
Offline

PostPosted: Fri Apr 27, 2007 8:53 pm    Post subject: Reply to topic Reply with quote

I do like your recommendation there MGB.
Back to top
View users profile Send private message Add User to Ignore List
Mine GO BOOM
Hunch Hunch
What What
Hunch Hunch<br>What What


Age:40
Gender:Gender:Male
Joined: Aug 01 2002
Posts: 3614
Location: Las Vegas
Offline

PostPosted: Fri Apr 27, 2007 9:13 pm    Post subject: Reply to topic Reply with quote

CypherJF wrote:
I do like your recommendation there MGB.

For more generic Password Authentication information, try SH/SC Wiki.
Back to top
View users profile Send private message Add User to Ignore List Send email
Display posts from previous:   
Post new topic   Reply to topic    Server Help Forum Index -> Non-Subspace Related Coding All times are GMT - 5 Hours
Page 1 of 1

 
Jump to:  
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum
View online users | View Statistics | View Ignored List


Software by php BB © php BB Group
Server Load: 662 page(s) served in previous 5 minutes.

phpBB Created this page in 0.447558 seconds : 33 queries executed (92.8%): GZIP compression disabled