Jump to content


Check out our Community Blogs

Dan

Member Since 28 Jun 2006
Offline Last Active Dec 19 2006 03:04 PM
-----

Posts I've Made

In Topic: Run a forum? Need Activity?

17 July 2006 - 03:12 PM

I agree DevilsCharm, the revenue would have required a lot of work, and the domain/site design wasn't brilliant.

Amazing the junk that sells on these webmaster forums.

In Topic: My Forum Software

14 July 2006 - 05:27 AM

Tbh, If you are planning on encrypting the entire script and making it paid I cannot see it being a success I'm afraid.

The majority of businesses will most likely find vbulletin upon their market research because it is so proven, customisable and has a great support department.

If I was you, I'd change the design significantly - businesses will be exceptionally swayed by this and first impressions. Offer businesses or your target market free trials and ask what they like/dislike then go from there.

Establishing your target market, and what they want is exceptionally important, otherwise I can see this being another one of those unused GPL scripts or paid scripts which would be a shame given the work that has gone into this :(

In Topic: Storing a Secure Password

14 July 2006 - 05:19 AM

Yes, the information I provided outlines md5 password encryption but a little bit more complex than sidewinders, correct code.

In Topic: Do you still use ASP?

13 July 2006 - 04:21 PM

I basically mean MS Acccess, which I prefer to use for managing databases really. I guess it isn't comparing like for like however. PHPmyadmin is a lot more complex but is exceptionally powerful as well, it just takes some getting used to.

Access is probably easier for the average windows user to learn to manage their site.

In Topic: Storing a Secure Password

13 July 2006 - 03:16 PM

Pretty complex stuff and not something I have ever done custom, but I've fished out some info for you:

MYSQL Password hashing - should be what you need?

It really depends on what your business is and you must decide for yourself what lengths you need to go to for your users protection. The key is to take all reasonable measures to protect the data. This is where the fun of personal privacy laws come into play. Also remember that you are only legally allowed to require information from your user which you NEED to do business with them.

So...

Your user must enter said information and you are going to store it. How are you going to protect their information? You need the information to be accessible by the person who entered it and only the person who entered it. This would require some information that only the user knows. How can you acquire this information and how can you store it.

HTTPS

Again, this depends on what type of information you will be storing. The first thing involved is to get a secure certificate for your site and only transfer sensitive, or personal, user data over an encrypted connection. I have always gotten secure certs from Thawte and always been satisfied. One thing to note is the form itself does not need to be under https but any form action does. As long as the form action is https then the secure connection is established before any data is sent. I've spent a lot of time sniffing this scenario to be sure that it is 100% true.

User Account Access

There will need to be a way for users to access their account. Most often this will consist of a username and a password. Usernames should be unique. This will allow the username password combination to be unique and be the first line of protection against account hijacking. Depending on the type of data you are storing, two fields that make up your unique combination may not be enough but for our explanation here we will use only the two fields.

password Protection

I realize I am only now getting to the heart of your question but, in truth, all of these things play a prt in it.

passwords should never be stored on your system in plain text or in a decryptable form. MD5 is a one way encryption and is an acceptable method of storing passwords. There is absolutely no need for your users passwords to be accessible by you or anyone who works for your organization. A password can always be reset by the user or by you or your employees. You must encrypt the password when it is received and then store the encrypted password in your database. This makes sure that the password is useless in the form in which it is accessed straight from the database.

Your form that takes the password should post to script which does something similar to the following. Ensuring the username is unique and that the password is protected.

$sql = "select * from usertable where username='" . $_POST['username'] . "'"; 
$result = mysql_query($sql); 
if (mysql_num_rows($result) >= 1) { 
 $error = "please enter another username"; 
 include "userform.php"; 
 exit(); 
} else { 
 $username = $_POST['username']; 
 $userpass = md5($_POST['userpass']); 
 $sql = "insert into usertable values('$username','$userpass')"; 
 mysql_query($sql); 
 include "postregister.html"; 
}
You now have a stored password which is useless to you and only usable to the user through your login form.

User Login

Sessions or cookies are good methods to keep your user logged in and to be able to recognize them in your scripts. You must put some thought into how you are going to do your authentication and how you are going to stop the ability to hijack active sessions or hijack cookies.

A simple login script may go something like the following. Once again the form you use for your login should have an action that is under https or be under https itself. I will use a session based example.
session_start(); 
$username = $_POST['username']; 
$userpass = md5($_POST['userpass']); 
$sql = "select * from usertable where username='$username' and password='$userpass'"; 
$result = mysql_query($sql); 
if (mysql_num_rows($result)!= 1) { 
 $error = "Login failed"; 
 include "loginform.php"; 
} else { 
 $_SESSION['username'] = "$username"; 
 $_SESSION['ip'] = $_SERVER['REMOTE_ADDR']; 
 // any other data needed to navigate the site or 
 // to authenticate the user can be added here 
 include "membersection.php"; 
}
User Authentication

Now an important factor is to be able to reliably recognize the user once they have logged in and to make sure that user is using their own session. In our above example we included the ip of the user to add some extra security. An authentication script would need to be included at the top of the page on every single page inside the members section of your site.

A simple authentication script could be as follows.
session_start(); 
$newip = $_SERVER['REMOTE_ADDR']; 
if (!isset($_SESSION['username']) ¦¦  
empty($_SESSION['username']) ¦¦ $newip!= $_SESSION['ip']) { 
 include "logout.php"; 
}
All of the above scripts are very simple and greater means may need to be taken to protect and authenticate your users but those three scripts are the basis of a user management system. You would also need to provide a method for your users to reset and acquire their passwords if need be. passwords should always be reset in some random fashion and then the user should be forced to change it before they continue using your site.


Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download