Web based designers who develop login applications should keep these basic security measures in mind. Know that nothing in this world is unbreakable. With enough brain juice and time from God, anything can be broken into. The only thing that any security system can do is to slow down the attacker long enough to capture them and fix the flaws. A good security system is one that is able to protect and recover from assaults. PHP together with MySQL are in the top 5 most popular web language today. Many web design companies use them cause they are free and have supportive user groups that are helpful. The following methods should be in place in any system as a minimum.
- Username and Passwords
- Never be specific
Passwords are stronger at 8 characters, so keep that as a minimum. These are 4 simple methods that anyone can follow to create easy to remember strong passwords.
Even student developers are smart enough to just put up a unsuccessful login sign like
- ‘Incorrect password / username’
- ‘Unsuccessful login attempt’
Never give out clues or leads that will help intruders like
- ‘Password is missing one letter’
- ‘Username is not found’
Placing @ in front of many of PHP function calls will stop any failure message from showing in the browser window. The ampersand symbol becomes useful when database calls are made during database downtime. This will keep the website looking professional while reducing feedback to intruders.
Even if the intruder is successful in gaining access to the table, they should only be able to see logins and not passwords. Encrypt all passwords in the table to hold an SHA-1 encrypted string before you compare the user input password to the one stored in the database.
- Example Code
$encrypted = sha1($password);
- Example database data
Username : rangit
Password : d0be2dc421be4fcd0172e5afceea3970e2f3d940
Log the total number of logins for each user, as well as the data/time of their last login.
Prevent your code from breaking unexpectedly by using ready made PHP functions like strip_tags(), str_replace() and stripslashes().
- Example code
$login = @strip_tags($login);
$login = @stripslashes($login);
Limit the user to the allocated input size.
Make login scripts to check HTTP_REFERER to see that the request came from the same server. This security measure will stop simple spam bots and amateur attackers.
If your HTML form uses POST to send the data to the login script, then make sure your login script gets the input data using $_POST and not $_REQUEST to prevent someone to pass data via GET, on the end of the URL string.
If you think the website deserves the best of data privacy, purchase an SSL certificate to encrypt the pages.
This is one of the most important method to prevent SQL injetions. Classify groups and distribute features and functionality based on roles. For example
- Cashers can only enter in sales, and not delete it
- HR personals should only see employee information, and not the financial data
Intelligent articles database