> -----Original Message-----
> From: Liam Gibbs [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, April 25, 2002 8:20 PM
> Subject: [PHP] PHP Security Leak
> I'm wondering if anyone has any ideas on how to make a
> login site more secure. Since I'm not really sure if
> I've explained myself well enough and don't really
> know how else to say it, I'll just give examples and
> then you guys can follow suit and mention some
> oversights:
> I have a regular logon: username and password. What it
> does is, when the user types in a name and pword, it
> forwards to another PHP page (a 'middleman' page that
> is there just to compare usernames and pwords),
> validates by checking the SQL database, then header
> forwards to the login page. A cookie is created, and
> voila, you're allowed into what we'll call the
> 'account pages'. Now, here's my 'security' (notice the
> quotes):
> 1. You can't log in when the URL includes a username
> and/or a password (so that no one can make direct
> links).
> 2. Same with an account page: you're redirected to the
> login page if you include a username and pword when
> linking to an account page.
> 3. The 'middleman' page also has this protection: you
> cna't directly link to it with a username and pword in
> the URL. Basically, users can't get into anything when
> they include a username and pword in the URL.
> 4. Obviously, you don't get access if your username
> and password don't match anything in the database
> (thought I'd mention it even though it goes without
> saying).
> 5. You can't login from a page that isn't on the
> server.
> Is there any validation or security holes that I'm
> overlooking?

at least this two:

1. Use SSL
2. Store passwords MD5 encrypted in the DB


Maxim Maletsky
Founder, Chief Developer

www.PHPBeginner.com   // where PHP Begins

> __________________________________________________
> Do You Yahoo!?
> Yahoo! Games - play chess, backgammon, pool and more
> http://games.yahoo.com/
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to