User accounts and password in database (security?)

[jbarnes08]

I don't have much time. I am on the public library computer and I'm trying to design a website without a home computer at the moment (on paper). Please refrain from 'rtfm' responses.

I'm also not very experienced with web programming.

I will be using php/mysql probably on host monster's web hosting services. I have not sign up for host monster yet so I'm not really sure if they will allow me to create actual SYSTEM users on their linux server. I have never designed a site where users log in and have their personal information stored on the server so the WHOLE concept is new to me.

1. For example on this site, when I signed up here (webdesignforum), did I get my own system account with the operating system? Is that what most sites do?

2. Would it be a bad idea to store user passwords in a mysql database?

3. What would you suggest?

In summary, I'm designing a web site for the first time with tools and technologies that I'm not familiar with to begin with. I want users to be able to register their own accounts and I also want to store information and there password. I want to know how to do this. Have to go quickly

 

[conor]

Ok,

No they don't create new users on the OS.

Yes they do store user info in the database, which if done properly is safe.

There are a few things that you need here. First you need to set up a session to detect if people are logged in or not.

if(@$_SESSION['logged_in']!=1)
         header('location:login.php');

That re-directs people to a file called login.php if they are not logged in.

One big thing to remember. When you are storing passwords in the database they must be encrypted. For example:

$password='test';
$encrypted=md5($password);

The md5 function encryptes the password in to a 32 char (i think) string which is irreversible. This means that if someone does manage to see the password then they will only see a 32 char string.

If you have any other questions just ask!

 

[bren2010]

1. No, they store their username and password in a database, emulating an account. They don't change anything on the OS except they mysql table.

2. It would be fine if done properly. You should encrypt the passwords however. Most people hash them with PHP functions like md5 and sha1. On really secure websites, I'll hash them more that once making it harder to crack.

3. As for registering users use a mysql insert command:

$dbc = mysqli_connect("localhost", "username", "password", "database");
$query = "INSERT INTO 'Users' ('Username', 'Password') VALUES ('$username', SHA('$password'))";
$issue = mysqli_query($dbc, $query);

As for checking if users exist, select their username and password from a database, and see how many results come up. If there's one, their information is correct.

$dbc = mysqli_connect("localhost", "username", "password", "database");
$query = "SELECT * FROM 'Users' WHERE Username = '$username' AND Password = SHA('$password')";
$issue = mysqli_query($dbc, $query);
$rows = mysqli_num_rows($issue);

if ($rows == 1) {
// The login is true, do whatever
} else {
// The login is wrong, do whatever
}

Hope this helped.

 

[conor]

2. It would be fine if done properly. You should encrypt the passwords however. Most people hash them with PHP functions like md5 and sha1. On really secure websites, I'll hash them more that once making it harder to crack.

As far as I know it is impossible to un-encrypt a md5 hash, thus eliminating the need to hash them more than once. Anyway if they are somehow un-encrypted then I doubt that it would be considered as your fault, as it is a widly accepted seccure method of encryption.

Those people who attempt to "break the system" and that are building lists of all the known md5 hashes are fools and will be waiting until the end of the universe for the computer to be finished working!

 

[jbarnes08]

Cool...thanks for the info guys.