I'd like some opinions, if possible, on what is a secure way to have logins for a script? This is for a script that I intend to distribute as open-source (GPL).
Basically, right now, the script stores a login and its password in the database, using md5() to encrypt the password before storing. When the user logins, the script compares the password they type in (after running it through md5) to the one in the database. After some reading around, I've seen things that suggest this is not the smartest way to set this up. Is this something that I should seriously be worried about? Is it something that can easily be hacked? Does anyone have any other suggestions that I can start looking at? Or can you point towards any recent tutorials that might have more secure ways of doing logins? I don't want to get into anything severely complicated, such as SSL or anything like that -- this is, after all, just a little open-source story script, but I would like to do what I can to make it more secure...
Secondly, my script checks what the person's admin level is (stored in the database) and then sets a cookie for that level. For example, if the level attached with a person's login is 1, then they can access all admin levels of the site. It the level is 2, then they can only access a few admin areas. And level 3 can only access one admin area of the site. As stated, this level is saved in the cookie, and called upon on in the various admin functions of the site as a global, i.e.
function example()
{
global $level;
if(($level == "1") || ($level == "2"))
{
//Let them do admin stuff
}
else
{
echo "Hey! You're not supposed to be in here.";
}
}
Does anyone foresee any problems with this? Does it throw up any red flags for you? I'd appreciate any suggestions or input, if possible 🙂
