Better Password Protected Pages / Login Form .. ??

[spacepoet]

Hello:

 

I wanted to see if I can make my password protected pages in my admin area, and the login form "more secure."

I was told I should use MD5 / SALTING / HASHING to do this.

 

I have tried some online tutorials, but am not understanding it, so I wanted to start from what I have and build upon it>

 

This is my database table storing the myAdmins data (when I initially insert it into the database):

CREATE TABLE `myAdmins` (
  `id` int(4) NOT NULL auto_increment,
  `myUserName` varchar(65) NOT NULL default '',
  `myPassword` varchar(65) NOT NULL default '',
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=utf8;

INSERT INTO myAdmins VALUES("1","abc","123");

 

This is the login form I use:

<?php

include('../include/myConn.php');
include('include/myAdminNav.php');

session_start();
session_destroy();

$message="";

$Login=$_POST['Login'];
if($Login){
$myUserName=$_POST['myUserName'];
$myPassword=$_POST['myPassword'];

$result=mysql_query("select * from myAdmins where myUserName='$myUserName' and myPassword='$myPassword'");
if(mysql_num_rows($result)!='0'){
session_register("myUserName");
header("location:a_Home.php");
exit;
}else{
$message="<div class=\"myAdminLoginError\">Incorrect Username or Password</div>";
}

}
?>

<form id="form1" name="form1" method="post" action="<? echo $PHP_SELF; ?>">

<? echo $message; ?>

Username: <input name="myUserName" type="text" id="myUserName" size="40" />
Password: <input name="myPassword" type="password" id="myPassword" size="40" />

<input name="Login" type="submit" id="Login" value="Login" />

</form>

 

 

This is the code on top of each page I password protect:

<?
session_start();
if(!session_is_registered(myUserName)){
header("location:Login.php");
}
?>

 

Works well, but can it be "better"??

 

And, if I am allowing the admin to update his/her username or password, I do it this way:

<?php

include('../include/myConn.php');
include('include/myCheckLogin.php');

if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
$myUserName = mysql_real_escape_string($_POST['myUserName']);
$myPassword = mysql_real_escape_string($_POST['myPassword']);

$sql = "

UPDATE myAdmins
   SET
      myUserName = '$myUserName',
      myPassword = '$myPassword'
  ";
mysql_query($sql) && mysql_affected_rows()

?>

<?php
}

$query=mysql_query("SELECT * FROM myAdmins") or die("Could not get data from db: ".mysql_error());

while($result=mysql_fetch_array($query))

{
  $myUserName=$result['myUserName'];
  $myPassword=$result['myPassword'];
}

?>


<form method="post" action="<?php echo $PHP_SELF;?>">
<input type="hidden" name="POSTBACK" value="EDIT">

Username: <input type="text" size="60" maxlength="60" name="myUserName" value="<?php echo $myUserName; ?>">
Password: <input type="password" size="60" maxlength="60" name="myPassword" value="<?php echo $myPassword; ?>">

<input type="submit" value="Submit" />
         
</form>

 

Should it be "better" .. ??

 

I don't seem to understand how to "encrypt" all of this to make it "stronger" ..

 

Ideas? Improvements?

 

[melloorr]

Login security is tedious. mysql_real_escape_string will not make it more secure, it will only stop SQL Injection.

 

$myPassword=$_POST['myPassword'];

$salt = uniqid(mt_rand(), true);

$myPassword =  sha1($salt.$password);

 

And store the $salt in the database.

 

Just make sure that when they log in, the password is compared with the password in the database like this too.

So when the user enters a password,  you will have to call the $salt from the database, then do exactly what you did in the registration page, then compare the password the user entered, with the one in the database.

[spacepoet]

Hi:

 

Thanks for the input.

 

Is there an example / tutorial out there that you know of that will show this?

 

I'm not sure I understand what you mean ..

 

Haven't been having much luck with this ..

 

Thanks for the help.