I was doing something similar but I moved to using the session in PHP. Is that wrong?
What would be a good login/security script/class to use?
-----Original Message-----
From: Mike Morris <[EMAIL PROTECTED]>
Sent: Oct 5, 2004 3:05 PM
To: [EMAIL PROTECTED]
Subject: [PHP-DB] Re: Safe / Secure Login Script
These are not PHP specific suggestions, but I see two big problems:
> 5.) Password is then encrypted using base64_encode() 6.)
You've confused encryption and encoding. Base64 encoding is trivial to decode, and
fairly
obvious to spot as well. All this achieves is that someone can't accidentally - before
they
avert their eyes - read the password while doing a "view source". But anyone who wants
it
can get it if they're given the base64 encoded representation. I wouldn't use this
method - or
a website that did.
> 8.) If No username is found, Message is sent to end user stating
> username does not exist.
Don't tell them whether it was the username or the password that was wrong. Doing so
lets
a hacker decompose a complex problem into two simpler problems. With your method, I
would first keep trying until you confirm that I've guessed a valid username, then I
can go
about guessing the password. If I don't know which is wrong, the number of
possibilities is
increased geometrically.
Mike Morris
The Music Place
1617 Willowhurst Avenue
San Jose, CA 95125
(408) 445-ARTS (2787)
------------------------------------
Your Free Historical Quote:
Finally, it is my most fervent prayer to that Almighty Being before whom I now
stand, and who has kept us in His hands from the infancy of our Republic to
the
present day, that He will so overrule all my intentions and actions and
inspire the
hearts of my fellow-citizens that we may be preserved from dangers of all
kinds
and continue forever a united and happy people.
- Andrew Jackson, Second Inaugural Address, March 4, 1833
------------------------------------
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
<a href="mailto:[EMAIL PROTECTED]>Dylan Barber</a>
Webmaster / Web Developer / Programing
<a href="http://codegalaxy.com";>-codegalaxy.com-</a>
<a href="http://summer-swim.com";>-summer-swim.com-</a>
<a href="http://clipurl.com";>-clipurl.com-</a>
<em>'This electronic transmission is intended for the addressee(s) named above. It
contains information that is privileged, confidential, or otherwise protected from use
and disclosure. If you are not the intended recipient, you are hereby notified that
any review, disclosure, copying, or dissemination of this transmission, or the taking
of any action in reliance on its contents, or other use is strictly prohibited. If you
have received this transmission in error, please notify the sender that this message
was received in error and then delete this message.'</em>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
