Login System

chross

Hi Folks,
I'm a complete newbie to PHP and I'm just learning how to code. I've got some questions, here we go. Firstly I want to create a login system with right management, i.e. normal visitors are allowed to view most parts of the page, logged in users are allowed to view the whole page and admins are allowed to change the page.

Secondly I want to know how to manage a login request in general. Is it useful to store complete usernames / pwds in a mysql database and compare them with the inputs made by the user? Where should I give special attention to? Is it safe to store the pwds decrypted in a databse or do I have to encrypt them? Why? Where are the main security holes in this process?

I hope anyone can help me out. Coding is not the problem for me, the point is that this whole login thing has to be secure, since I'm not a hacker and don't know this much about PHP yet, I'm really not sure if it should be done this way.

I would really apprecciate any suggest about storing pwds in a database and generally storing usernames/pwds in databases, about the security holes and if there is one easy way to build a rights management.

Thanks in advance.
chross

Mordecai

This would require either cookies or sessions to keep the username and user level (userlevel would check if they were an admin).
As for storing username and password in a database, that'd be fairly secure. The only insecure thing would be sending the data, unless you are connected securely. Make sure you use either PASSWORD() or MD5(), which are built-in MySQL commands. Both are hashes, which means they cannot be (essentially) unhashed, or decrypted.

chross

thanks, your answer helped me a lot!
greetz,
chross