Well, there have been a fuss around the globe regarding the user data.
And how well we had done to protect their interest on our side.
Online forum, portal.. and all sort of password-required to access.
Should really not put the password on the plaintext on MySQL table or even on the textfile.
Provided the administrator access is easily slipped.. one shouldn’t take the user password for easy viewing..
Here is some example of getting the simple “SHA1” into user table in place..
/* Store user details */
$passwordHash = sha1($_POST['password']);
$sql = 'INSERT INTO user (username,passwordHash) VALUES (?,?)';
$result = $db->query($sql, array($_POST['username'], $passwordHash));
or
$query = sprintf("INSERT INTO USER ( username,passwordHash) VALUES ('%s','%s' )",
mysql_real_escape_string($_POST['username']),
sha1(mysql_real_escape_string($_POST['password'] )) );
// Perform SQL Query
$result = mysql_query($query);
[ad#postad]
.. so it got something like this is user table ..
For login form..
$userid = mysql_escape_string($_REQUEST['login_id']);
$userpassword = sha1($_REQUEST['password']);
# here do whatever u need to auth.
# check for matching user id and password in local database
$processor = new DatabaseClassName();
$processor->login($userid,$userpassword);
and somewhere in the library or whatsoever..
DatabaseClassName {
function DatabaseClassName () {
session_start ();
}
function do_login ($user,$password) {
$sqlstatement = sprintf ( "SELECT count(*) AS UserCount FROM user_table ".
"WHERE username = '%s' AND ".
"pw='%s'",$user,$password);
$sqlq = mysql_query($sqlstatement,$db);
$users = mysql_fetch_array( $sqlq,MYSQL_ASSOC);
$result = $users['UserCount'];
if ( $users['UserCount'] == 1) {
$this->logged_in ($user);
};
return ($result == 1);
}
function logged_in ($user) {
$_SESSION['id'] = $user;
$_SESSION['ip'] = $_SERVER['REMOTE_ADDRESS'];
$_SESSION['timeout'] = time() + 10;
}
function logout () {
$_SESSION= array();
session_unset();
session_destroy ();
}
}
[ad#postad]
…Hmm..
For md5.. just need to changed “sha1” to “md5”..
$userpassword = sha1($_REQUEST['password']);
to
$userpassword = md5($_REQUEST['password']);
** update..
if want to use SHA-256
$userpassword = sha256($_REQUEST['password']);
but if using SHA-256 .. you might have to calculate the hash by yourself before adding it via phpMyAdmin interface..
as the function there only up to MD5 and SHA1.i think.
.. can also add some noise.. or salt.. and whatever craps to it.. to make it harder.. a bit.
it might be still be spoofed/ sniffed by ip address or browser and all..
but at least.. it should not leave the user password in plaintext format somewhere in server itself..
Further read up.. Web Auth[pdf].
p/s : just my two cents ..
It is the best time to make some plans for the future and it’s time to be happy. I’ve read this post and if I could I want to suggest you some interesting things or advice. Maybe you can write next articles referring to this article. I desire to read even more things about it!
Thanks for sharing your info. I really appreciate your efforts and I am waiting for your further write ups thank you once again.
I do not even know the way I ended up here, however I thought this put up used to be great. I don’t recognize who you might be but certainly you’re going to a well-known blogger in case you are not already. Cheers!
What’s up, after reading this amazing article i am too delighted to share my knowledge here with colleagues.
Do you mind if I quote a couple of your articles as long as I provide
credit and sources back to your site? My blog site is in the very same niche as yours
and my users would genuinely benefit from some
of the information you present here. Please let me know if this okay with you.
Many thanks!
Incredible! This blog looks just like my old one! It’s on a completely different subject but it has pretty much the same page layout and design. Great choice of colors!
I really like what you guys are usually up too. Such clever work and coverage!
Keep up the amazing works guys I’ve included you guys to my own blogroll.