PHP Secure Login - password encryption

Question

Here is the login system to which the secure login is to be implemented/

main_login.php

    <form name="form1" method="post" action="checklogin.php">
    Username:<input name="myusername" type="text" id="myusername" /> <br />
    Password:<input name="mypassword" type="text" id="mypassword" />
    <input type="submit" name="Submit" value="Login" />
    </form>

Checklogin.php

<?php
ob_start();
$host="localhost"; // Host name 
$username="root"; // Mysql username 
$password=""; // Mysql password 
$db_name="cosmos"; // Database name 
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword 
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword"); 
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
?>

login_success.php

<?php
session_start();

if(isset($_SESSION['username']) && ($_SESSION['username'] == $myusername)){
header("location:main_login.php");
}
?>

<html>
<body>
Login Successful. <a href="logout.php">Logout</a>
</body>
</html>

logout.php

<?php
session_destroy();

header("location:main_login.php");
?>

the problem is that I want to make this secure login by password encryption or any other method (if any). I am beginner to PHP

Answer 1

To make this a little more secure, you should store encrypted passwords in your database and then compare the encrypted entered password with the stored hash. This way if someone somehow accesses the members table, they cannot see the actual passwords.

Suppose the password is myPassword then don't just store it, hash it first using an algorithm like md5 then store the hash which is deb1536f480475f7d593219aa1afd74c in your database. Then when user enters a password, hash it and compare two hashes.

For more secure approach, use SSL.

Answer 2

Normally you would store a hash of the passwords in the database see md5 however this doesn't make it secure between the webpage and server - for this you need to use https.

There are two things here.

1. If I'm a dumb user and when I sign up for your site I have to give a password I might give the same password as I used elsewhere so your site should really store a hash of the password instead of the real thing so if they get hacked the attackers won't get my password that I used everywhere. To do this you store the hash in your members table and in the query that checks it is valid you pass a hash instead of the real thing.

2. Under http the password will get sent from the browser to the server in plain text. If this is over the internet and an attacker has access to any networks in between the browser and client then they can see the password - if you hash it in the browser using javascript the attacker can pick up the hash and possibly use this to login to your site. That is why we have https. For a low cost (especially compared to development costs) you can buy a certificate that will secure the connection. If you don't want to do this you can self sign a certificate and use this. If your hosting does not allow you to use a certificate then it might be possible to create a home brew solution but it is much better to just find other hosting.

Answer 3

You can use md5($password) or sha1($password) while inserting the signup data to table.

to match again for login login

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='".md5($mypassword)."'"; $result=mysql_query($sql);

There is some other way too, to protect further. Using combination of sha1 and salt.

By the way why dont you use some quick php framework coz these small things are already built with them.

Thanks

Answer 4

As a beginner, most likely you do not need any encryption. Especially because it would be Javascript, not PHP.
Though it can be done.
You could use hashed challenge implementing Digest authentication schema

• server send a challenge - a random strimg
• client make a hash of this challenge and a password
• this hash being sent to server
• server doing a hash the same way and compare both

There are a lot of Javascript MD5 hashing algorithm implementations over internet.

Of course, an SSL certificate would be preferred over this homemade implementation.

But to get proper answer, you still need to clarify what exactly you want to encrypt and why. And why don't you concerned about securing something else. Your whole database for example.

Some notes for a while.
Your login_success code would either not work and protect nothing.
It should be just

if(isset($_SESSION['username'])){

because there is no $myusername variable to compare.
And there ought to be exit; right after header("location:...
Or a client will get protected contents anyway

Answer 5

You can encrypt the password to a degree with md5. You would need to md5 the password from when the user signs up and before the login md5....

Example: // Define $myusername and $mypassword $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; $mypassword = md5($mypassword);

You would also need to use this whenever you have a user sign up.