On Wed, 2011-07-27 at 14:01 -0700, wil prim wrote: > Hello, I am just starting out with PHP and I have just created a database named "Members" with a table named "Persons". There are 5 fields (id,firstname, lastname, username, password) . The form I created is a sign up form and the values entered into the form are inserted into the table "Persons", now my question is how do I create a secure log in system with this new database? Thanks in advance! :) > Well, first, as a measure of security, make sure that you don't store the plain text password in the DB. Something like an md5($password . $email . $name) offers a rudimentary protection. For something a little meatier, try sha1(). Storing it this way means that even if someone gained access to your DB, they don't actually have the passwords, as people often reuse passwords on different sites. As to the login, you would accept the username and password combo, and then hash or encrypt the password with the salt again, and compare with the entry in the DB. It's typical to have a counter of incorrect logins as well. More than 3 in a row causes the login for that username to lock for a specific period of time. To achieve this, you would need to add a couple of fields to your Persons table, `attempts`(tinyint) & `lock_time`(datetime). When you attempt to log someone in with the username and password (encrypted, hashed, whatever) you also check to see if the lock_time is not some time in the future. If it is, then you don't allow them access. If the password was wrong, then increment the attempts field by 1. If this field gets incremented to a specific value (say 3 for example) then you set the lock_time field to some date in the future, the wait period. When a user logs in successfully, set the attempts counter to 0 again so it's ready for the next login attempt to the account. This just ensures that people aren't accidentally locked out indefinitely! This is all just a rough sketch out of how I'd go about it, but it should be enough logic for you to put some code together. It's no more complex than a couple of queries and a few if statements. It may help you to flowchart the whole thing out to get the logic clear in your mind. -- Thanks, Ash http://www.ashleysheridan.co.uk
