I'm making login script how I think. But what is a difference a between a secured and unsecured login script? How I understand that the I script i made was secured or unsecured ?
securing logins are really broad (ie. sql injections).. anyways one way is always put users into a session variable..
are you keeping your login usernames on a database, or in the php processing file or are you making via htaccess?
Ok thanks to you.. tell me what's unsecured login ? Do you want to say that file processing is unsecured login ? I just want to know the correct one!
Unless it has a different meaning for PHP developers, secured and unsecured normally means the protocol it submits the data on. Unsecured would use HTTP, this isn't secure as anyone sniffing packets along the route between client and server could pick up the username and password. Secured would do the same thing but over HTTPS, as the packets would be encrypted the username and password could not generally be sniffed, although again there are ways of doing this. Both need the same level of input validation for example SQL injection. Of course to do HTTPS properly you need an SSL certificate, a host that supports them (Most do but it tends to need configuring). Jen
An easy definition for secured and unsecured login process (script) would be: Unsecured : Anything which can be spoofed, sniffed, hijack or sql injected will be considered as unsecured. Secured: If you take care of all the security measures to prevent them will be considered as secured. I don't want to go deep into this as its a very vast subject. So, designing your login script and the authorized area by taking care of all the security measures will be considered as secured and leaving some loop holes for open attacks will be considered as unsecured. Data encryptions, protocols, sessions and cookies controls will take you into right directions. Regards, Gonzo
Secured, you're never truely secured. Do everything you can to secure sensitive information, expecially credit card information, social security numbers, etc. There is also SQL injection as mentioned. In each database query, you should be using mysql_real_escape_string to prevent most SQL injections. It isn't 100%, I also recommend using addcslashes to escape the % and _ signs. Never deal with social security numbers or CC information without SSL, period. Sites that use this type of information will always be the targets of real good hackers rather than a site that logs in so you can talk on a forum. Also ensure that register globals are off in PHP.