Hey everyone i am just wondering if any one knows a better login system?
that may have a good injected Free as i am using this
Well i’d personally not throw a specific error for there not being an account with that name - gives too much information to someone probing your database. If i guess random usernames, and get a bad-password result as opposed to a “no such account” result, i know that there is a user with that username in your system, and I can start trying to crack their password.
There’s no catchment here to prevent a brute force attack, but that’s getting a bit beyond the scope.
will is there any one better to this script or should i go look on google for poorly coded scripts
Stop looking for tutorials. Tutorials are poorly put together and they have 1 thing in common. They tend to never implement security in the code and they tend to just give you 1 way of doing it. This may not even be the right way.
I really suggest that you learn the basics first using the manual before doing anything else. Start brainstorming about how you want your application to work. All a login system really is is just basic functions put together. For instance, how do you output a user’s name? You do so something like
echo $name;
Correct? Login systems require much much more than just basic functions. You need to write a really secure one. To do this, you have to understand security and the many cons that it comes with. For example, losing alot of user friendly features. You cannot have a secure login system and have something like emailing the user’s passwords in plain text. That would mean you’d be storing the passwords in plain text which violates security.
So I strongly suggest that you learn the basics before doing anything.
User authentication is a tricky but critical enough concern that rolling your own or using a naive implementation like the one in the tutorial is almost never a good idea.
You should seriously considering using a actively maintained third-party library to implement your login functionality.
There are a bunch out there, but have a look at this one for instance: https://github.com/delight-im/PHP-Auth/blob/master/README.md
Tutorials are not meant to give you an application at the end, they are there to teach you a mechanism. Sadly, today, many see a tutorial as a production ready application, of which, it is not.
So I agree that they generally approach a topic in one way and the code is not production ready, but to say generically all tutorials are poorly put together is a bit of a stretch and based on a misrepresentation of what a tutorial really is.
I feel like you know this is bad but you didn’t explain why it is bad/wrong. You skated around it by talking about plain text passwords, but glazed over the potential XSS that the above echo statement can lead itself to.
Yes, I agree. Though I didn’t say that all of them are bad. I just said tutorials in general are bad because most of them tend to never teach you the correct way. They tend to lean to one solution which may not even be the correct solution. That’s not to say that some tutorials are good.
What I was trying to get at is that a lot of tutorials are poorly written because they tend to never show you anything security wise. A lot of them are also cut and copied from other sources. The amount of good to bad tutorials IMO are probably 80% bad and 20% good.
Yes. I didn’t mention anything really because I wanted to write a broad statement. I didn’t want to go into too much depth as to why it may be dangerous to echo what I wrote because too many words and too many jargon seems to distract people from the real point. They may even say “ok” and then move on without caring about the reason. My approach was to give a broad example and if the OP is interested, I would then further explain. But if I explained right away, the OP may just brush it off and not take it seriously.
Don’t roll your own authentication system. It gets really complex really fast, plus it’s very easy to make mistakes that allows your site to be hacked.
Instead use a tried and tested system, like the Symfony security component.
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.