[ad_1]
I create an extremely secure PHP Login Script using Regular Expressions, CAPTCHA, Encryption, Multiple Random Tokens and Session Token Regeneration.
If you can find a way in, I’d be interested to find out how?
Code is Here:
Web Design and Programming Pt 21
by
Tags:
Comments
31 responses to “Web Design and Programming Pt 21”
-
got it working but it always failed. i checked the code over and over. i even got a sample code using previous version of of captcha but that uses a class.funcion with just two arguments. when i use that one it also fails but a positive fail–it never shows a success that it promised. no matter if i use the old widget that shows up or the new one that came from a div tag with my inline public key, it always says incorrect key. i looked at every " " and nothing. .the code is perfect everywhere so i am thinking i can't use it offline. what do you think?
-
i got my public and private keys from google but i think they are linked to website? it says when i pass the pre-test that i need to register an api?
-
there is a new captcha that i got that is under form. i tried to make both of them work but it doesn't
where do i put my private and public keys–which fill and where exactly in the code. am thinking you can't test on a localhost anymore with captcha? -
this is how to set up the server side of captcha but i have no clue what this means can someone please help me:
Verifying the user's responseThis page explains how to verify a user's response to a reCAPTCHA challenge from your application's backend. When a reCAPTCHA is solved by end user, a new field (g-recaptcha-response) will be populated in HTML. You can verify the user’s response in one of three ways:
g-recaptcha-response POST parameter when the user submits the form on your site
grecaptcha.getResponse(opt_widget_id) after the user completes the CAPTCHA challenge
As a string argument to your callback function if data-callback is specified in either the g-recaptcha tag attribute or the callback parameter in the grecaptcha.render method
API RequestParameter Description
secret Required. The shared key between your site and ReCAPTCHA.
response Required. The user response token provided by the reCAPTCHA to the user and provided to your site on.
remoteip Optional. The user's IP address. -
maybe there are really three files? is all that code in the same first file or maybe there is a lignin file?
-
i got the code of your site now where do i place the files and what permissions with which ownership>
thank you. learning a lot thanks to you. may you be blessed with a healthy, successful, fruitful, new year! -
I actually use frameworks for security now. Specifically I use Zend
-
Wouldn't it be more secure to use prepared statements instead of putting the value inside single quotes. So you select username from users where user = ? and password = ?.
Then there are functions that fill in the ? marks values. -
Sorry, but these php security tutorials are the only videos I have made on the topic. Some day Ill cover php like I have with java
-
Hi Derek, your videos are great. Im just wondering if you have anything on php email security issues. Sorry I can't be more specific but Im sure anything in your mind can be very helpful. You are a true sharer and,again, thank you.
-
Not as far as I know. I checked and didn't dig up any
-
Are there any security risks associated with using MYSQL_ASSOC instead of MYSQL_NUM? It just seems like it's easier to find the data in the array that way.
-
Hi again Derek,
When sanitizing the user input data, is using the escape_data php function essentially the same as mysql_real_escape_string? -
Yes you are correct. Here is the full answer to your question stackoverflow. com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php
-
I'm a little confused here… So why are you using mysql_affected_rows and not mysql_num_rows in line 46?
The documentation says about mysql_affected_rows: "To retrieve the number of rows returned by a SELECT, it is *possible* to use mysql_num_rows()."
it is possible, or recommended? I'm assuming it's both do the same thing.
But I remember you saying something about num_rows being insecure or something…
Did I miss something here?
-
They look very similar, but I always use google catcha
-
hey I have a question. how much more secure using recaptcha that you are using in this video than of that in generating captcha by GD?
-
Thank you 🙂 You could always surround any potentially harmful code with symbols that would negate it and then eliminate those symbols when they are displayed. As long as the comment never has the chance to execute it can do no harm
-
Yes you should double and triple check everything. Soon I'll introduce some frameworks that will make securing a web application much easier
-
I've been wanting to cover design patterns for a long time. The tutorial after XML will be on design patterns
-
Always trust the code over what comes out of my mouth 🙂 I sometimes say silly things. I improv most of these tutorials and sometimes my words get jumbled up. I hope I don't do that much anymore
-
I know there are exploits for for sha() and I should have used something more secure like aes. I'm not sure if I did this in the video, but I should have also added a random salt before encryption? This part of the tutorial needs to be redone. This was my first take at making a BIG tutorial and I'll fix it soon
-
After $u && $p && $captcha are true, can i pass the variables userid and pass to a class method of my user handler to do the rest? is that secure ?
-
@RedShadowHF Yes you could do that as well. Thanks for pointing that out
-
this rocks! thanks bro. it helps alot. God Bless you.
-
@sie85 In future parts of this tutorial series I use it every time the user moves from page to page. I also force the session id to change each time they go to a new page.
-
Where do you use this token_id you store in the session and user table.
-
@derekbanas i've watched it, thx:)
-
@andreipreda07 Check out my php security pt 4 video. It will explain everything on how to create a new user registration script. If you have any questions after that just send them over. Thanks 🙂
-
thx! this helped a lot, but i have somq questions.
how do you store the users?
can you make a new special table or,
do you have to use the user table, from mysql?
Leave a Reply