Making my registration system better
Hi,
A while back I created a registration system, I've just been going over it making the error reporting better (it used to be plain 'if' and 'else'... now it's 'if's along with arrays so the user gets told about all their incorrectly filled out fields rather than just one).
When the user signs up the password is stored as SHA1 with some salt e.g.
When the user logs in the username/password combination is checked in the database against whatever they entered e.g.:
This registration/login system will be used for my future scripts, so I need to make it's nice and secure.
Firstly, is there any better way of authenticating the login? It's a bit messy and all over the place at the moment.
Also, is there any even more secure way of storing the passwords? Would a longer salt or different/double encryption help at all?
One last one: are there any security holes there that I've missed?
[EDIT]
How should I be storing the salts? I'm guessing it's not such a good idea having them in the same table...
?
Thanks very much,
Craig.
Hi,
A while back I created a registration system, I've just been going over it making the error reporting better (it used to be plain 'if' and 'else'... now it's 'if's along with arrays so the user gets told about all their incorrectly filled out fields rather than just one).
When the user signs up the password is stored as SHA1 with some salt e.g.
Code:
define('SALT_LENGTH', 8);
$username = strip_tags($_POST['username']);
$userPassword = $_POST['password'];
$repeatPass = strip_tags($_POST['rpassword']);
$email = strip_tags($_POST['email']);
// I've taken out all my error checking, it's rather long!
$salt = substr(sha1(uniqid(rand(), true)), 0, SALT_LENGTH);
$prepend = $salt . $userPassword;
$hashed = sha1($prepend);
$sql = "INSERT INTO users (username, salt, password, email) VALUES ('$username', '$salt', '$hashed', '$email')";When the user logs in the username/password combination is checked in the database against whatever they entered e.g.:
Code:
$username = strip_tags($_POST['usernameLogin']);
$userPassword = $_POST['passwordLogin'];
$staylogged = strip_tags($_POST['stayin']);
$sql = sprintf("SELECT salt FROM users WHERE username = %s", quote_smart($username));
$result = mysql_query($sql);
$row = mysql_fetch_array($result);
$salt = $row['salt'];
$dbpassword = sha1($salt . $userPassword);
$sql2 = sprintf("SELECT * FROM users WHERE username = %s AND password = %s", quote_smart($username), quote_smart($dbpassword));
$result2 = mysql_query($sql2);
$row = mysql_fetch_array($result2);
if(mysql_num_rows($result2)<1)
{
$error_array[] = "The username and/or password you entered was incorrect<br />";
}This registration/login system will be used for my future scripts, so I need to make it's nice and secure.
Firstly, is there any better way of authenticating the login? It's a bit messy and all over the place at the moment.
Also, is there any even more secure way of storing the passwords? Would a longer salt or different/double encryption help at all?
One last one: are there any security holes there that I've missed?
[EDIT]
How should I be storing the salts? I'm guessing it's not such a good idea having them in the same table...
?Thanks very much,
Craig.
Last edited:
