In addition to the info below, I would caution you to do some research on password hashing. MD5 and SHA-1 are both known to be compromised because they are too fast. OWASP (Open Web Application Security Project) is a great resource for security research. There are many hashes available, if you have PHP 5.3+ look into bCrypt (built into PHP 5.3+ as CRYPT). The CRYPT_BLOWFISH option is the best choice. A good article is here: http://yorickpeterse.com/articles/use-bcrypt-fool/ Otherwise, use this code to see a list of your available algorithms. You also want to make sure to research salting and stretching of your hash if you are unable to use bCrypt. <?php print_r(hash_algos()); ?> You might also want to look into PHPASS if you have a version of PHP previous to 5.3. Although it will default to using MD5 for older versions, the salting and stretching of the hash are what make it more secure, not the algorithm itself (seems to be a bit of controversy on this point). * Note that if you use PHPASS, once you do upgrade to 5.3+, it will default to the CRYPT_BLOWFISH option. Cheers! Jen -----Original Message----- From: Florian Müller [mailto:floripipo@xxxxxxxxxxx] Sent: Friday, August 05, 2011 1:35 AM To: midhungirish@xxxxxxxxx; php-general@xxxxxxxxxxxxx Subject: RE: saving sessions But please do not use cookies to store a password as code! Cookies are human readable with some add-ons.... Check like this: if someone registers, insert it into a table: <?php $username = mysql_real_escape_string($_POST["username"]); $password = md5($_POST["password"]); mysql_query("INSERT INTO USER VALUES('" . $username . "','" . $password . "')"); header('location: register_success.php'); ?> Then, if someone wants to log in, use like this: <?php $username = mysql_real_escape_string($_POST["username"]); $password = md5($_POST["password"]); $sel = "SELECT * FROM USER WHERE USERNAME = '" . $username . "' AND PASSWORD = '" . $password . "'"; $unf = mysql_query($sel); $count = mysql_num_rows($unf); if ($count == 1) { header('location: login_success.php'); } else { echo "Login not successful!"; } ?> If you want to store something into cookies, use a name which is not good understandable, like a shortcut for a logical sentense: Titcftmws ("This is the cookie for the main webSite") or something ^^ In there, you can save username and password, but PLEASE save the password at least md5()-encryptet, so not everyone can save it. Now you can check like this: <?php if ($_COOKIE['Titcftmws'] == mysql_real_escape_string($_POST["username"]) . "|" . md5($_POST["password"])) { //in the cookie is for the user with username 'jack' and password 'test' this value: "jack|098f6bcd4621d373cade4e832627b4f6" echo "you are logged in"; } else { echo "not logged in!"; } ?> This is as far as I know a quite high level of security, in comparisions with other ways. Regs, Flo > From: midhungirish@xxxxxxxxx > Date: Fri, 5 Aug 2011 08:20:11 +0530 > To: wilprim@xxxxxx > CC: php-general@xxxxxxxxxxxxx > Subject: Re: saving sessions > > On Sat, Aug 6, 2011 at 7:56 AM, wil prim <wilprim@xxxxxx> wrote: > > > Hello, im new to the whole storing sessions thing and I really dont know > > how to ask this question, but here it goes. So on my site when someone logs > > in the login.php file checks for a the username and password in the table i > > created, then if it finds a match it will store a $_SESSION [] variable. To > > be exact the code is as follows: > > if ($count=='1') > > { > > session_start(); > > $_SESSION['user']=$user; // $user is the $_POST['user'] from the login > > form > > header('location: login_success.php'); > > } > > > > Now what i would like to know is how do i make my website save new changes > > the user made while in their account? > > > > thanks! > > > > > > You will have to store the user account related data in the database for > persistence.... Or if the site not having a 'user account system' you may > use cookies to store the settings... > > > > Midhun Girish -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
