Network Security Programming

11 Methods To Keep Website Logins Safe And Secure Using PHP

Web based designers who develop login applications should keep these basic security measures in mind. Know that nothing in this world is unbreakable. With enough brain juice and time from God, anything can be broken into. The only thing that any security system can do is to slow down the attacker long enough to capture them and fix the flaws. A good security system is one that is able to protect and recover from assaults. PHP together with MySQL are in the top 5 most popular web language today. Many web design companies use them cause they are free and have supportive user groups that are helpful. The following methods should be in place in any system as a minimum.

  1. Username and Passwords
  2. Passwords are stronger at 8 characters, so keep that as a minimum. These are 4 simple methods that anyone can follow to create easy to remember strong passwords.

  3. Never be specific
  4. Even student developers are smart enough to just put up a unsuccessful login sign like

    • ‘Incorrect password / username’
    • ‘Unsuccessful login attempt’

    Never give out clues or leads that will help intruders like

    • ‘Password is missing one letter’
    • ‘Username is not found’

  5. Hiding Errors Messages
  6. Placing @ in front of many of PHP function calls will stop any failure message from showing in the browser window. The ampersand symbol becomes useful when database calls are made during database downtime. This will keep the website looking professional while reducing feedback to intruders.

  7. Encrypt passwords in user account table
  8. Even if the intruder is successful in gaining access to the table, they should only be able to see logins and not passwords. Encrypt all passwords in the table to hold an SHA-1 encrypted string before you compare the user input password to the one stored in the database.

    • Example Code
      $encrypted = sha1($password);
    • Example database data
      Username : rangit
      Password : d0be2dc421be4fcd0172e5afceea3970e2f3d940

  9. Keep a log of all user activities
  10. Log the total number of logins for each user, as well as the data/time of their last login.

  11. Remove ALL backslashes
  12. Prevent your code from breaking unexpectedly by using ready made PHP functions like strip_tags(), str_replace() and stripslashes().

    • Example code
      $login = @strip_tags($login);
      $login = @stripslashes($login);

  13. Use ‘maxlength’ in forms
  14. Limit the user to the allocated input size.

  15. Importance of referrer
  16. Make login scripts to check HTTP_REFERER to see that the request came from the same server. This security measure will stop simple spam bots and amateur attackers.

  17. Use $_POST not $_REQUEST
  18. If your HTML form uses POST to send the data to the login script, then make sure your login script gets the input data using $_POST and not $_REQUEST to prevent someone to pass data via GET, on the end of the URL string.

  19. SSL Encryption (https)
  20. If you think the website deserves the best of data privacy, purchase an SSL certificate to encrypt the pages.

  21. Limit user access according roles
  22. This is one of the most important method to prevent SQL injetions. Classify groups and distribute features and functionality based on roles. For example

    • Cashers can only enter in sales, and not delete it
    • HR personals should only see employee information, and not the financial data

Intelligent articles database

2 replies on “11 Methods To Keep Website Logins Safe And Secure Using PHP”

Leave a Reply

Your email address will not be published. Required fields are marked *