How do I make a simple login system secure?

Bare with me as i am very new to PHP.

I have created a simple login system that connects to a MySQL database.

The login is basically asking for a username and password which are stored in the database. There is no option for a user to register/sign up.

What are the best practices to make my login secure?

How can i “HASH” my password? Or is there any need to do this on a login form?

What security measures would you recommend?

That’s a rather broad question. How about start with posting the code you have so we can review it. As far as the password you should use the password_hash function. Hopefully you are not using the deprecated MySQL functions.

3 Likes

I would not recommend a login system at all. In fact, I would never mention one at all to a beginner. Log in systems are a complex system that beginners can’t even comprehend. There are so many things that beginners fail to implement in a “good” log in system. And there are so many exploits that can come from a poorly implemented log in system. Here are just a few off the top of my head. This is just the tip of the iceberg.

  • XSS attack
  • SQL Injection
  • Blind Injection
  • Rainbow tables
  • Brute Force
  • Cookie Hijacking
  • Plain text passwords
  • Buffer overflow

The list goes on and on.

What I’d recommend is learning the basics before you start anything complex. If you don’t even know the simple functions like foreach, require, etc, you won’t understand log in systems.

3 Likes

Are you brave enough to post it here for a critique? :smile:
If there are any glaring security holes they will be quickly spotted and may offer a little education into basic security which is a must for any beginner.

3 Likes

I think even a beginner can benefit from learning how to build a secure login system from the ground up - step-by-step. So posting your code and having the experts here guide you through making it more secure will be a great learning experience not only for you, but also for other people reading this thread. Just be careful not to use it for a live application that is important to you. Just use it in practice applications until you gain more experience.

2 Likes

I think even a beginner does need to think about a log-in system. But…then again no…I get what the other person inferred. If you are a beginner, your site can’t be possibly done yet. Get your site done and ready to expose to the world…first. First. In the process you will move from beginner to experienced. If your site or app is truly done–you are no longer a beginner. Finish your site first. Revisit logins and credentials AFTER it is done. You should be more equipped at that point. About logins. Objectives would include: prevent SQL injection; don’t give error messages about why the login failed which is what a lot of beginners think should be done (they want to be friendly); use parameterized queries (which supports the first point); understand sessions and cookies and the advantages/disadvantages of both. These days, a secondary login step which deters automated bot-based login althorithms is very good: a text message/email with a pin; a redirect to a page where the user has been given a pin to type in (something that can’t be automated by a bot).

1 Like

Thanks for all your advice. I did a college course where i learned PHP but that was 2 years ago and i am re-visiting the subject to advance my skills.

Here is my code:

PHP:

<?php
session_start(); // Starting Session
$error=''; // Variable To Store Error Message


if (isset($_POST['submit'])) {
if (empty($_POST['username']) || empty($_POST['password'])) {
$error = "Enter Username and Password";

}
else
{
// Define $username and $password
$username = $_POST['username'];
$password = $_POST['password'];


//connect to database
include('dbconx.php');

// To protect MySQL injection for Security purpose
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysqli_real_escape_string($con, $username);
$password = mysqli_real_escape_string($con, $password);


// SQL query to fetch information of usernames and finds user match.

$sql = "SELECT * from admin where password='$password' AND username='$username'";
$result = mysqli_query($con,$sql) or die(mysqli_error());
$count = mysqli_num_rows($result);
if ($count == 1) {
	
$_SESSION['login_user'] = $username; // Initializing Session
header("location: confirm.php"); // Redirecting To Other Page
} else {
$error = "Username or Password is incorrect";
}
mysqli_close($con); // Closing Connection
}
}
?>

HTML:

<form action="" method="post" name="login-form">


<table id="login-table">

  <tr>
    <td>
	
      
      <input type="text" name="username" id="username" required placeholder="Username">
    </td>
  </tr>
   <tr>
   	 <td>
      
      <input type="password" name="password" id="password" placeholder="Password" required>
     </td>
   </tr>
   <tr><td>      
  	<input type="submit" name="submit" id="login" value="Login">
       
       
   </td></tr>
   
</table>



</form>

<p id="error" ><?php echo $error; ?></p>

I look forward to hearing your criticisms :slight_smile:

Check a form submission like this:-

if($_SERVER['REQUEST_METHOD'] == 'POST'){
    // form processing...
}

Stripslashes and escaping is the old way of sanitising input. These days most developers prefer to use Prepared Statements.

Password hashing has already been mentioned. On account creation hash the password and store the hash only in the table.

Then instead of using it in the WHERE clause, SELECT the hash and compare it to the password entered using the password_verify function as the manual shows.

I’m sure there will be more scope for improvement, but that is a start.

Thanks for this. I have one question:

I have not created a register/sign up option. The password and username is already stored in the database.

So how would i use password_hash and password_verify in this situation?

At some point the password is entered into the database. So what you must do is insert the hash instead of the raw password.

$hash = password_hash($password, PASSWORD_DEFAULT);

The reason why I disagree with the part that beginners should learn to build a log in system, but agree with not using it on a production server is because I once was that fool. When I first began PHP many years ago, I had this obsession with log in systems. I thought it was some how really cool the way that only certain pages can be shown to members is to create a log in system. So after learning about this topic, I sought my way to finding a really good log in system that was online. Soon after, I started looking for free service providers because at the time, I was naive and poor. So I only wanted to use free service providers to do my testing. I came across a 3rd party log in system called Oxwall or something like that. I uploaded it to the free service provider and I went on and did a few test to see how it works. So after a few weeks of using it, I stopped checking on it for another few weeks. When I came back the following weeks after that, I had found that my free website’s home page was changed. I thought maybe because the free service provider usually deletes inactive free accounts so maybe mine got deleted and someone just requested for that domain name. So I logged onto my free hosting account and checked my file manager. As I got onto my file manager, I saw that everything was deleted except the index file and a few folders that meant nothing. I opened up that index file and long behold, it was modified and it was the one from before. Soon enough, I learned that I was just hacked. So I didn’t want to restore it anymore since I know the person might have my information now, all I did was deleted everything and replaced the index file with flashing images. Then I just abandoned that domain name and free hosting service providers in general.

Though I was really lucky. Had this been a client’s website or a company’s website, I would of either gotten fired or sued. It was because I didn’t take security seriously. My obsession of log in systems caused me to have such a huge consequence. So from that day on, I started to read up on the basic stuff that I didn’t know. Such as foreach loops because at that time, I didn’t even know how to use it. Then I started learning how to read the error logs. Starting debugging my own code.

What I am trying to say is, don’t do what I did. Don’t obsess over log in systems.


This line isn’t necessarily needed. When you create and assign a variable to something, it automatically does it for you. It is a bit redundant and makes it look like you have a hanging variable that does nothing. In PHP 7, the execution now is left -> right. So it will assign variables to something appropriately I believe.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.