PHP advice

Chat about just about anything else
Post Reply
User avatar
gordon.cooke
Level 3
Level 3
Posts: 157
Joined: Tue Dec 01, 2009 9:48 pm
Location: New York

PHP advice

Post by gordon.cooke »

Okay, so this has nothing really to do with Mint (thus the open chat) and some other website might seem more appropriate, but hey, the Mint community is just awesome people! So figured Id try here.

Im working a conversion from ASP to PHP for something I built years ago on ASP 6 with MS SQL Server. I've come to a sticky point-- user logins. What Im wonder is, what is the best way to do this in PHP on a LAMP stack?

What I had done: on the old site, I created every user in MS SQL. Then the ASP used their login UID and pwd to try and connect to the database. If it connected I used the session in MS SQL Serverto keep track of the user. I did have a table for the users in the database but I only used it to store some misc info, no passwords or emails and such (If I remember correctly it integrated with the windows domain so as long as the database username matched the domain username I could pull email and such that way)

For php: I think the simple answer is to just use a table to store the user accounts and passwords. The php runs serverside and I only need one UID for MySQL so the php pages can retrieve data and such. I can manage roles and different permision sets with case statements in the php pages. I know how to do this, but it just seems too simple and maybe insecure?

I saw some things online that it is possbale to do an MD5 and then just store the MD5 hash in the user database and not the raw password. Seems a bit better, but necessary? I could do something like I did before; put all users into MySQL as users, and use a connection to MySQL to test if the credentials are good- but doesnt seem efficient. I just dont like it- difficult to manage and such.

Are there better ways? What is ussualy done in PHP?

Also- do PHP sessions work differently? I may be misunderstanding, but do php sessions rely on cookies?? can you use session variables without setting cookies on the client side?
------------------------------------------------------------------------
Mint 13 64bit Cinnamon
Asus U56E Laptop, Core i5-2410M, Intel graphics, 6GB RAM
Mint 9 64bit
Averatec 2573 Laptop, AMD Turion 64x2, ATI Graphics, Atheros wireless, 3GB RAM
User avatar
KittyKatt
Level 3
Level 3
Posts: 116
Joined: Sun Jun 14, 2009 12:12 pm
Contact:

Re: PHP advice

Post by KittyKatt »

gordon.cooke wrote:I saw some things online that it is possbale to do an MD5 and then just store the MD5 hash in the user database and not the raw password. Seems a bit better, but necessary? I could do something like I did before; put all users into MySQL as users, and use a connection to MySQL to test if the credentials are good- but doesnt seem efficient. I just dont like it- difficult to manage and such.
This is the way I'm going to have to suggest. Hashing passwords on user creation, and thus new table row creation, is pretty secure. What you would then do is when a user attempts to login with a UID is that you would has the password they're TRYING to use, compare it to the stored hash for that UID, and if they're the same log them in.
User avatar
markfiend
Level 4
Level 4
Posts: 310
Joined: Wed Apr 15, 2009 2:56 pm
Location: Leeds, UK

Re: PHP advice

Post by markfiend »

No offence, but the idea of creating every user login as a separate SQL user gave me a bit of a :shock: moment. I would certainly never consider doing anything like that!

Anyhoo, yes, store user details on a database table. You need to store (at least) your user's username, a password "salt" (randomly generated) and the hash of (the salt concatenated with the user-entered password). See this note on the php manual: http://uk3.php.net/manual/en/function.hash.php#94104

A primer on php session security is available on the php manual site here: http://uk3.php.net/manual/en/session.security.php Yes, sessions are stored as user cookies, so assume they may be hacked with.

If you've already used ASP you probably already know about SQL injection attacks, but for the benefit of lurkers: Make sure you clean all user input. NEVER feed the $_POST values straight into an SQL query: imagine in your php:

Code: Select all

$sql= "SELECT * FROM users WHERE name = '" . $_POST['userName'] . "';"
If the user has entered as their username:

Code: Select all

' or '1'='1
then the SQL statement will be translated as

Code: Select all

SELECT * FROM users WHERE name = '' or '1'='1';
which will return all the rows of the table. Not good.

In short, trust as little input from your users as you can. Assume any user input could be malicious. If you leave any hole, assume a script-kiddy will find it.

(I'm a Zend certified engineer for php5)
Omnia mutantur, nihil interit.
User avatar
gordon.cooke
Level 3
Level 3
Posts: 157
Joined: Tue Dec 01, 2009 9:48 pm
Location: New York

Re: PHP advice

Post by gordon.cooke »

Thanks for the replies!

@kittykat- I'll definately be hashing then.

@markfiend- no offense taken.I pulled this out after 5 years and thought "huh, now why did I do that?" I don't totally remember, but I think it was related to integrating with windows user accounts. And at that time the web was not the only front end, folks on the intranet were accessing from MS Access, so that may he been a factor.

But anyhoo- doesnt matter now

Using a salt is a great idea. I have to think through all the security issues with sessions and such, whether to do SSL etc. At the moment this is just a demo interface with fake data so protection isnt really an issue. If the potential customer picks it up then I probably need to work with them to integrate logins and such (do they allow cookies at all?) One Im looking at uses smart cards and has some web login modules already so probably just integrate into that. Of course the more i do now the less to do latter.

Thanks for the link to the php site. Ive been working with the info at www.w3schools.com

OK, so Im rambling on more than you probably care. Thanks for the input! I feel better now knowing it is normal to just store users in a table.
------------------------------------------------------------------------
Mint 13 64bit Cinnamon
Asus U56E Laptop, Core i5-2410M, Intel graphics, 6GB RAM
Mint 9 64bit
Averatec 2573 Laptop, AMD Turion 64x2, ATI Graphics, Atheros wireless, 3GB RAM
User avatar
markfiend
Level 4
Level 4
Posts: 310
Joined: Wed Apr 15, 2009 2:56 pm
Location: Leeds, UK

Re: PHP advice

Post by markfiend »

Another couple of security suggestions:

If there are three incorrect login attempts from one IP address, block that address from making further login attempts for (say) an hour to prevent brute-force attacks.

Don't differentiate in error messages between "right username wrong password" and "wrong usermame". Otherwise an attacker knows they've hit a correct username and can concentrate on forcing that user's password.
Omnia mutantur, nihil interit.
Post Reply

Return to “Open chat”