Login script
- Thread starter kwrat1497
- Start date
- Messages
- 3,295
- Reaction score
- 227
- Points
- 63
You could do a whole lot worse than to use callumacrae's script in this thread.
Apart from emailing the password to the user (something you can decide upon yourself), it's the right way to go about it. It uses PDO to interact with the database in order to prevent SQL injection, etc. It uses a unique salt per user and PBKDF2 to hash the salted password in a difficult-to-crack way. Above all, it doesn't try to do anything clever -- it uses well-understood and well-tested methods to create just about the best security for login that you can deploy to a PHP-based environment without having extra language modules installed. And it's well-written, clear code, so it's easy to see what's going on (except in PBKDF2 itself, which is also pretty clear once you know a bit about bitwise operations).
Apart from emailing the password to the user (something you can decide upon yourself), it's the right way to go about it. It uses PDO to interact with the database in order to prevent SQL injection, etc. It uses a unique salt per user and PBKDF2 to hash the salted password in a difficult-to-crack way. Above all, it doesn't try to do anything clever -- it uses well-understood and well-tested methods to create just about the best security for login that you can deploy to a PHP-based environment without having extra language modules installed. And it's well-written, clear code, so it's easy to see what's going on (except in PBKDF2 itself, which is also pretty clear once you know a bit about bitwise operations).
I just noticed another issue: it uses rand for cryptographic purposes, such as nonce generation (note: the statistical problems of rand aren't as obvious on Linux as they are on MS Windows, but they're still there). Under PHP, about the only cryptographically decent pseudo-random generator is openssl_random_pseudo_bytes, though to be truly cryptographically secure, you'd need true random numbers, such as by reading from /dev/urandom (which is available on the X10 servers).