-1

What is a secured login? How do I develop one in PHP? Please keep in mind that I'm just a beginner in PHP.

Dan McGrath
  • 41,220
  • 11
  • 99
  • 130
Arup
  • 47
  • 5
  • is this just the login or the whole authentication process(registration, verification, login, management) – yretuta Jan 25 '10 at 05:10

4 Answers4

3

I would suggest getting an OpenID solution to incorporate in your website.

For example: PHP OpenID Library

Other than OpenID, this article will give you a good start in the basics of a PHP login

Dan McGrath
  • 41,220
  • 11
  • 99
  • 130
2

a better question would be : how can call a php login app "secure"?

here are some pointers (i'm quite new to php too, so pls bear with me)

  1. secure connection (via SSL)
  2. hashed passwords when stored to database (one-way hashing is recommended)
  3. validation - make sure that you impose certain character limits (max/min password, username, email, etc), characters are in the format you expect...etc...

here are implementations

  1. redirect your http://www.site.com/loginpage.php to something like https://yoursite.com/login.php
  2. hashed password = study md5 hashing with salt or if you want to make your life easier, use phpass( no need for salts, one way hashing, built by a "pro")
  3. validation - use php's buiilt in validation functions or construct your own regular expressions (or better yet use validation libraries)

sorry to have no links for resources, but google-ing them up is quite easy

yretuta
  • 7,963
  • 17
  • 80
  • 151
  • 2
    In this day and age, with so many superior hashing algorithms, why do we keep pushing md5? It's like peddling IE6 to the masses. Sure it works, by technically it should be long forgotten. – Dan McGrath Jan 25 '10 at 05:13
  • I am quite intrigued, are there other ways of hashing using salts other than md5? I am currently using phpass so other than md5, don't know anything else – yretuta Jan 25 '10 at 06:03
  • Three years later now. Use bcrypt :) – Ja͢ck Jul 05 '13 at 09:08
1

A secure login system is typically not much more than giving a user a cookie (see php sessions) and then checking for that cookie on every 'secure' page. A user would obtain this by logging in, which you can do with openid or by storing usernames and passwords.

jhogendorn
  • 5,931
  • 3
  • 26
  • 35
1

Only to add to the aforementioned points -

One of the most important things to protect against in php logins and forms that rely on database access in general is sql injection.

Wiki article

Brief example

This most commonly occurs with poorly sanitized inputs. Using mysql_real_escape_string() provides general protection. With the advent of OOP in PHP 5, it's highly advantageous to consider using the PDO extension for PHP to make parameterized sql statements at the point the mysql server executes them.

An explanation and examples of PDO in PHP

DeaconDesperado
  • 9,977
  • 9
  • 47
  • 77
  • To add to what DeaconDesparado said, if you use prepared statements for mysql, it is automatically sanitized against SQL injection. – Paul Hoffer Jul 06 '10 at 21:00