PHP Login/sql ijection question

[Serganator]

Hi

I'm creating my own php login and i'm going thru the prevention of sql injection. I"m musing php5 and mysql db my question is if i input the my data in my database using md5 do i still need to use mysql_real_escape_string() function

and also i wonder if md5 should be enough for encrytion or should i be using crypto() also.

THanks in advance for any sugestion and answers

[Apache]

Is it a general login for the website you're making?

One really good way I've found is to build up a website around phpBB3. You can create a whole website around it and you get full forum functionality throughout the site. This is the best way I've found to create very social websites and they look really good as well, especially with the amount of AJAX Mods and Hacks coming out for phpBB3.

Guide:

[Tutorial] Integrate your website around phpBB3

phpBB3 Help:

Sourcecode documentation

Coding Guidelines

OlympusWiki

Chapter 3, coding with and for phpBB3

[stingwray]

I wouldn't touch phpBB for anything, its a worthless piece of crap.

One piece of real advice, writing a secure login and session management for a website is quite difficult, if your going to put it into production then I'd recommend going with something that is known, you could always use OpenID. If its for practice and fun, good on you and keep up the good work.

On answering the main question, its unlikely that you would need to, however you should do for good practice. The extra overhead is not much for one more variable to be cleaned, and the i think the world would end before some found some data which hashed to a sql injection.

Try not to use MD5 though, its pretty much end of lifed, use something from the SHA family at the moment, and then I believe you have to use PHP crypt() to do that.

[Serganator]

I wouldn't touch phpBB for anything, its a worthless piece of crap.

One piece of real advice, writing a secure login and session management for a website is quite difficult, if your going to put it into production then I'd recommend going with something that is known, you could always use OpenID. If its for practice and fun, good on you and keep up the good work.

On answering the main question, its unlikely that you would need to, however you should do for good practice. The extra overhead is not much for one more variable to be cleaned, and the i think the world would end before some found some data which hashed to a sql injection.

Try not to use MD5 though, its pretty much end of lifed, use something from the SHA family at the moment, and then I believe you have to use PHP crypt() to do that.

Thanks

I didnt want to use a cms application so this is great information i couldn find a login with all the features i wanted, thats why i'm building my own. I never thought about OpenId, I'll play with that too.

[digip]

MD5 is ok so long as you add a salt value to it and not use it in its base hashed value form.

MD5 by itself is easily cracked. There are databases and websites devoted just to cracking base MD5 hashes, but if its salted with another value (preferably another hash or random string value) not known to the public, it makes the cracking of the hash much more difficult if not impossible since they would need both the input+salt value to crack it. If they compromised your site and learned the salt value, then they could create their own tables to crack the hash, but this goes for pretty much any cryptography. Keeping the salt value a secret is key to securing hashes stored in a database.

Wordpress uses this method of MD5 + Salt value for there login keys. They upgraded to this method a while back because they used to keep them in plain MD5 hashes, and people who were able to get access to their database via sql flaws could then go back and crack the hashes for passwords.

BugFix: http://trac.wordpress.org/ticket/2394

Thisis now part of their phpass class. If you download Wordpress, you can look at their code as an example of how to script your logins, even of you decide against MD5.

Just a note though, if your login script does not sanitize user input properly, and sql injections, it won't matter much what you use to hash the passwords, as they can then add users, overwrite passwords, etc. with full access to your database via the webpage itself. You will need both a strong hashing system and hardened login script to be sur eto sanitize any users input of special keys or values, like '\][{}|", etc, etc.

[stingwray]

I still wouldn't use MD5, salting hashes has to be done no matter what the hashing function you choose so you can grantee some decent level of security. The problem with people keeping on using MD5 is that it will never die then, and people will forget the used it when new problems come out for it and then don't patch their systems.

If your interested in a good book on this stuff and like working with php, then have a look at the "PHP architects | Guid to PHP security" Its a nice small book that covers everything that is needed and gives lots of good examples and code snippets. A lot of it you can take on to other languages as well such as the input validation.

[MRGRIM]

Here is one method

1. http://www.darknet.org.uk/2007/04/login-se...ird-php-script/

However I'd stick with the simple classic stuff

2. http://www.netlobo.com/preventing_mysql_injection.html

@stingwray: took the leg work out of it, as it was something I was intrested in myself.

http://www.amazon.com/php-architects-Guide...y/dp/0973862106

While on the subject of books, anyone seen this?

http://nostarch.com/mg_databases.htm