Is this PHP script safe?

Question

I am new to PHP development. And I don't have any coworkers to discuss PHP with. So I'll post my question here.

I have managed to do a login script for my self, witch is looking a lot like the script on this site: http://www.phpeasystep.com/phptu/6.html

My question is. Is this a safe approach? Is there a good tutorial on PHP login scripts? Is there something wrong with the approach of storing information in the session?

Answer 1

A couple of issues on the tutorial you posted.

1. It seems like it's really old. stripslashes? session_register? Those are all constructs from previous versions of PHP which are all considered bad practice by now.
2. Even though the author says it's mysqlinjection safe it isn't, you can fool mysql_real_escape_string too. Use PDO with prepared statements for database stuff.
3. Judging from the code it seems the passwords are all stored in the database unencrypted, that's unwise! Check Secure hash and salt for PHP passwords to know how to hash/store passwords in a safe way.
4. The readable password is stored in the session, anyone with access to your cookie will also be able to read your password 1 on 1 from the cookie. BAD!

If you want to do it right read The definitive guide to form-based website authentication and implement it's suggestions.

Answer 2

it's not safe at all:

• you are storing the password unencrypted in the database. store only the hash (sha256 or better: sha512) in the database (with a salt) and then query for the username and the hash of the POST-password
• you are storing the password unencrypted in the cookie. you shouldn't do that at all. you should store a session id in the database with which you can check the session-status each time a page is loaded.
• i don't know if you're using it, but try SSL encryption (https) for encrypted transfer of user credentials.

Answer 3

Definitely unsafe, it is storing password as text, without hashing. Check password hashing(at least sha256, never md5 or sha1) and salting Hashing will encode the password so noone will be able to get password in case of succesfull db attack. Salting will add some security, you will just add some string to every password and hash it. You can have custom salt for every user and a server salt with some special chars that are not on keyboard. That would make the password pretty safe. Using PDO and parameters for SQL queries would make it safer from SQL Injection attacks.
As for storing in session - OK, but never store password, password is inserted, hashed, and never used again, at least until another login.

Answer 4

From having a look at that script, I would say as long as you implement the strip slashes function and use a hashing algorithm (SHA256) for storing passwords then you are going a long the right lines. You could extend this further by adding a salt to the hash, this would protect you if someone ever attacked your database and did SELECT * FROM Password WHERE Password = 'HASH'; which would return all of the Usernames and allow the attacker to attempt to login with these credentials. SQL Injections and XSS are common types of attacks on websites, which can be performed via the login system. I would recommend reading up on them.

Additional resources:

http://www.webstockbox.com/php/7-tutorials-on-how-to-create-a-php-login-system/

http://en.wikipedia.org/wiki/Cross-site_scripting

http://en.wikipedia.org/wiki/SQL_injection

Answer 5

No. It's much more safer not to store passwords as-is. You'd better hash password (i.e. with md5()) and store hash in DB. To make a login you take password sent from a form, hash it and compare with hash stored in DB.

Answer 6

SHA512 hashing is the best way with salt if possible but i have found loads about this and using PDO but i cant make a register form that uses the sha512 hash any ideas reply please