Comments on: Creating a Secure Login System the Right Way

By: verboze

verboze — Thu, 11 Mar 2010 07:39:16 +0000

Great article! Being new to implementing login systems, this article thought me the basics I needed to get started. Thanks for sharing!

By: Kevin

Kevin — Tue, 09 Mar 2010 23:11:14 +0000

My bad! Feel free to delete my dumbass post. Thats what I get for writing and not sleeping. I take it all back!

I blindly missed the WHERE username = ‘$username’ and assumed it was WHERE username = ‘$username’ AND password = ‘$password’ which WOULD have been a problem.

By: Tinsley

Tinsley — Tue, 09 Mar 2010 22:57:25 +0000

Did you read the code carefully? The raw password never touches the database… it is hashed. There is no need to use escape_string or any other sanitizing on hashed data. The ONLY user input that touches the database is the username and that IS sanitized. In addition to this I point out PDO as an alternative to using the mysql_ family of functions, which is inherently more secure.

By: Kevin

Kevin — Tue, 09 Mar 2010 22:33:22 +0000

Your subject for this code is “Creating a Secure Login System the Right Way” yet you post insecure code. WTF? In your own words you say “you should never trust your users. Validate all user input, protect against SQL injections”, yet you don’t provide any sanitizing protection for the password input from the user. Newbies using your “secure” code will now be open to an sql injection attack.

By: Tinsley

Tinsley — Tue, 02 Mar 2010 16:21:34 +0000

Normally I would, but not in this case for three reasons:

If I post a zip file of this script I will have to update it whenever I updated this post
All I would be doing is copying the code I posted here into a few files
…And the main reason: This is not a working implementation. I don’t mean for you to copy this code and put it into production. It is meant to demonstrate the concepts. It is meant to be a reference for creating a login system of your own.

By: Nookie

Nookie — Tue, 02 Mar 2010 07:42:31 +0000

Hi,

Could you maybe post or email me entire script in a zip file?
That would be really really great!

Thanx in advance!
/Nookie

By: Tinsley

Tinsley — Sat, 30 Jan 2010 19:47:24 +0000

I’ve looked further into the issue and it appears that the problem stems from a bug in PHP 5.3.0 ( http://bugs.php.net/bug.php?id=48754 ); specifying the connection handle is a workaround for that bug. Upgrading to 5.3.1 should resolve the issue and you’ll be able to use mysql_close() without parameters.

By: Claude

Claude — Sat, 30 Jan 2010 11:19:58 +0000

Hi Tinsley

Sorry for not being specific. I tested it again with mysql_close(); Ite gave me the following error:

Apache HTTP Server has encountered a problem and needs to close. We are sorry for the inconvenience. (One of those send / don’t send error reports).

The error signature contains the following information:
szAppName : httpd.exe
szAppVer : 2.2.14.0
szModName : php_mysql.dll
szModVer : 5.3.0.0
offset : 00002072

I did debug the code and the error did occurred at the mysql_close();. I did a google search and found other developers had a problem with this in the past and stated to use the connection handle variable to prevent such an error.

By: Tinsley

Tinsley — Fri, 29 Jan 2010 03:09:51 +0000

You are the first person to report a ‘crash’ as far as I’m aware. What exactly do you mean by crash? Is there an error message? Also, regarding mysql_close(), specifying the connection handle is only necessary if multiple connections are open, otherwise the behavior is identical to calling it without any parameters.

By: Claude

Claude — Thu, 28 Jan 2010 20:50:19 +0000

Thanks for the very good example. How ever I don’t know if any one experienced a crash with the registration form. I’m using Apache 2.2 with PHP 5 (WAMP configuration). It seems good practice to use mysql_close($conn); instead of mysql_close(); – Refer to register.php (part 4)