Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Creating a webpage with user accounts, what do I need to keep in mind?

Tags:

security

php

mysqli

user-accounts

I am trying to write a website that has user accounts. There isn't much sensitive information other than the password and email address. But I don't really understand what I'm doing; I'm kind of hacking it along as I go. Is there anything I should be keeping in mind with respect to security or any other important details?

like image 989
DavidR Avatar asked Jun 19 '10 19:06

DavidR

4 Answers

You should:

  • encrypt sensitive data
  • avoid:
    • avoid sql injection
    • Session hijacking
    • Session fixation

Recommended Reading:

PHP Security Guide

like image 73
Sarfraz Avatar answered Nov 01 '22 05:11

Sarfraz

Sarfraz Ahmed brought up some good resources for reading. You could also use a PHP class for user authentication, there are plenty. I my self have put up a project called userFlex on sourceForge http://uflex.sourceforge.net

userFlex has a decent documentation and it does more than just login users; it does registration and field validations, password resets, confirmation codes for registrations, handles sessions and more like autologin.

Again im just putting up userFlex as an example, you could also look into http://www.phpclasses.org/browse/file/5269.html or many other good Classes in PHPclasses.org.

like image 25
Pablo Avatar answered Nov 01 '22 04:11

Pablo

Use JanRain Engage (formerly rpxnow.com) for authentication. Their solution lets people use their existing credentials from Google, Yahoo, Microsoft, Facebook and others to log into your site. Many of these providers will give a valid OpenID and often a valid email address as a part of the authentication process.

If you use JanRain, you then only have to store the email address or the OpenID for a user, and you don't have to store passwords or password hashes. Furthermore, you don't have to implement any password reset functionality, or "forgot my password". Also your user registration functionality can be much smaller because you start it with a valid email address or OpenID provided by its owner.

The communication between your application and JanRain is authenticated and encrypted, so it is all nice & secure.

like image 3
Jay Godse Avatar answered Nov 01 '22 04:11

Jay Godse

You MUST use the MD5 php function for passwords. Simple way of securing it. Also make sure you use strip_tags in php so that someone cant execute commands in your input boxes. Since there isn't any sensetive data i dont think you need to encrypt anything. Just make sure the login system is perfect and the user has no other way of accessing data without logging in..

Shud suffice for a basic login script..

like image 1
Laz Avatar answered Nov 01 '22 03:11

Laz
Sign in to Comment

Related questions

Post array limit?
Laravel Collection get unique values from nested datastructure
PHP7 / MemCache Deprecated Error Message
Can not post in laravel 5 over jquery Ajax
Laravel custom console command invoking constructor of all other custom commands
Redirect vs RedirectMatch
Accidentally removed vendor folder in laravel project
How to pass boolean values between PHP, HTML forms, and Javascript
xampp installed on Mac not accessible via localhost, only local ip
Laravel Guzzle GET request
Stripe Payment request button with subscriptions
PHP: multiple SQL queries in one mysql_query statement
What's the best way to store class variables in PHP? [closed]
Singular Value Decomposition (SVD) in PHP
MVC as best practice for professional level programming?
PHP errors -> Warning: mysqli_stmt::execute(): Couldn't fetch mysqli_stmt | Warning: mysqli_stmt::close()
Delete a header in PHP
drupal (CMS) or codeigniter (MVC) for creating a new web application? [closed]
Most efficient way to extract bit flags
How to customize Yii CGridView Pager?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!