views:

60

answers:

1

I want to have a login form on a charity website I am building (it's for a friend, and I'm learning on the go), and I want to know what languages/software should I learn to build databases for user logins and info? Note: it HAS to be secure and relatively simple to learn for someone with moderate programming experience.

Update: I understand that CMSs offer good tools for logins etc. but I want to do this all by myself.

+5  A: 

The simplest thing you could do is hash and apply a salt to your passwords before entering them into the database. "The Wicked Flea" has a pretty good answer in another question here.

Have you thought about grabbing an off the shelf CMS? Most decent CMS's should contain all the functionality you need for a simple charity website. It would also give you a solid solution to your login form issue.

EDIT

As for what language to use. It really isn't very important so long as you are comfortable with it and willing to put time and effort. It shows in your profile that you're looking to learn PHP. Looks like writing a login form in PHP would be a nice starting point. As for a database back end. Again, it doesn't really matter. Just please just do not use MS Access. Most PHP developers (assuming) seem to use MySQL since it's usually what is included with a PHP web host.

About security, hashing and adding a salt to your password is about the easiest thing you can do. You could do something like this:

  • User clicks sign up link
  • Bring up sign up form using SSL
  • Once user clicks the submit button
  • Hash password. Add salt. Store in database. Adding a salt to your hashed password will prevent attacked from using a rainbow table to brute force your passwords. Take a look here for functions that take care of hashing passwords.
  • You could also force users to create a password with specific rules. Such as, requiring all passwords to be greater than 6 characters, at least one number, etc...

Once the user needs to log in, you can do something similar to:

  • Get username and sanitize it. Remember to NEVER trust the users input. It doesn't matter if God himself wants an account on your website.
  • Escape the password to ensure people without an account get access via SQL injection. You can do this using PHP's *mysql_real_escape_string* function.
  • Once all is in place you can query your database to see if there are any rows returned.

Lastly, never email your user their password in plain text. If the user forgets their password, simply allow them to create a new password. You can do this by sending the user a link in their email which will give them the ability to do so.

Honestly, your best bet is probably to complete this task and post back (new question) on SO with your code. From there we can analyze it and take it from there.

Something along those lines should fulfill your requirements.

Mike
Good answer, so +1, but I don't want to use a CMS. I should've been more specific
Rafe Kettler
I know this might seem daunting at first. However, as I suggested take a stab at it. And if you get stuck come back to SO. :)
Mike
@Rafe Kettler: If you do go for PHP, this [Password Hashing](http://phpsec.org/articles/2005/password-hashing.html) article explains some of the concepts and provides example code. I would also urge you to use [mysqli::prepare](http://php.net/manual/en/mysqli.prepare.php) [prepared statements](http://mattbango.com/notebook/web-development/prepared-statements-in-php-and-mysqli/) instead of dynamic SQL (assuming you use MySQL - but the same idea applies to other database engines).
Mike