I'm building an app that will store some of our clients details, things like usernames / passwords, information that we need to remember and keep secure.
What's the best method for storing this information securely?
A:
As far as passwords go you should store a hash of the password. Whenever you authenticate the user, you hash their inputted password and compare the result with what you've stored. This way you aren't storing the actual password.
AaronLS
2009-04-03 09:21:08
+1
A:
Such an open-ended question with not a lot of detail to go on. I'd suggest reading Chris Shiflett's excellent "Essential PHP Security" before you go any further. It's short, to the point and very practical.
There's also a reasonable amount of the advice available from the book's website too at http://phpsecurity.org/
David Heggie
2009-04-03 09:21:37
+1
A:
Using a PHP framework for security
If you want to get PHP security setup quickly without doing a load of research, a PHP framework would be a good idea.
I am a fan of CodeIgniter but other options include CakePHP and Zend.
Using a framework for security will mean you get a tried and tested method straight away, however there may be some time and effort needed to learn the framework.
Jon Winstanley
2009-04-03 10:24:56
Using a framework will not prevent you from making insecure applications. You DO need to know about security best practices. Frameworks are no substitution for secure coding. Not educating yourself about security because you use a framework is a very ignorant way of digging your own security hole.
Jacco
2009-04-03 11:21:14
Fair enough. A framework is not a silver bullet. However, the built-in security classes which can clean up your data and help you avoid many XSS exploits can be very useful to someone with little experience.
Jon Winstanley
2009-04-03 12:36:47
They certainly can help you.
Jacco
2009-04-03 12:52:14
A:
Pretty simple actually. Set up a quick MySQL database, and a user table. In that user table, store the usernames in a column and a hashed version of the password in another column.
As added security, I like to generate a random 8 character string and store that as well in each row - I call that column the "Keycode". When the user signs in with a correct username / password, I store their authentication in session variables AS WELL as the matching "Keycode".
That way, the session authentication can not only look for the right username / password, but quickly query the db, and check to see if the "Keycode" stored in the session variable is the same as the keycode in the row.
It works well because not even the user knows their keycode.
johnnietheblack
2009-04-04 00:57:54
A:
johnnietheblack
The user doesn't know their hash key either. You could have just as easily used that.
Drew
2010-06-21 12:27:35