Web Hosting Forum - Net Hosting Talk

We are a community of individuals and businesses passionate about web hosting. Let's build, learn, and grow together.

Security form web access


Junior Member

I have been asked to make a web application for a company that requires a username and password.

Whenever I have done something similar, I have placed a form (method: post and action: login.php) in the index. The form contains the typical user box and password.

The login.php receives the two parameters, and the combination (user-pass) in the user's table of the USERDB gives access to the client.

I doubt that someone from the company tells me this is not safe enough, that they are a severe company with very confidential information. Do you see it right? Can you add something to make it safer?

Thank you. Greetings
In principle it will always be the same structure, the security extras will mainly be jquery / php checks / validations ...

you can in the first instance ask for secure passwords, as you have seen in many sites: the password must contain 1 numeral, 1 uppercase and a length of at least 8 characters ...

Strictly validate the data received in login.php before introducing these to the SQL statement and not common:
 $ user  =  $ _POST [ 'user' ] ;
$ contra  =  $ _POST [ 'against' ] ;
$ sql  =  "SELECT * FROM users WHERE user = ' $ user ' ....." ;

this is very insecure, you must take into account every aspect so that the work should be very well done and at the same time I lasted a long time without tinkering, which is the best!
  • Advertisement
  • Authentication via user and password is one of the most used methods, and in even more web environments. You should consider two aspects:

    1. Make your web safe, at least the login form and authentication process accessible by HTTPS, I would say more, your application accessible only by HTTPS.

    2. It validates both the client and server side the data entered by the user.

    3. Perform a check against CSRF attacks.

    4. As @"beverly"  explains , establish a secure password policy for your system.

    5. Avoid SQL injection.

    Where users come from, it does not matter, in an enterprise environment it could be that your application is integrated into a Windows Active Directory or similar, stored in the same database of your application or accessible through a web service or REST API, but always the procedure is the same: validation, identification and authentication !!!!