it just so happens we have a few threads in our library [webmasterworld.com] that cover this very thing

PHP User Authentication and Passwords [webmasterworld.com]
SQL Injection - What measures Should be Taken Against [webmasterworld.com]
PHP Security [webmasterworld.com]

Thanks, the topics have given me a lot of usefull tools to work with now. I didnt realize just how many ways input and output could be abused.

I still do have a lot of questions and will probably want to have people check my scripts just to make sure im covering every possibility.

Should the form, filter and validator be all on the one page? Or should the form be on one page with the filter and validator on another? I ask this because in one of your posts you noted:

remember I could grab the action from your form, view source to get the form element names and throw together a quick curl script to submit the form.

I could probably figure out what is and isn't validated in a few hundred iterations, shouldn't take more than a minute or two.

How would I circumvent this?

you just need to test every field, make sure what you are getting is what you want

>> Or should the form be on one page with the filter and validator on another

this is the way it should be

I dont like things that submit to self, bad idea, lots of issues, just doesnt work

>> still do have a lot of questions

and well you should. I still have lots of questions, I think that's what makes us better and better.

the moment we are convinced we know everything is the moment we know nothing ;)

Ok, I have them on seperate pages. What I have so far is the just make sure they are not blank:

// initialize a session 
session_start();
// validate form data
if (isset($_POST['submit']) and $_POST['submit'] == 'Login') {
 $_SESSION['submit'] = $_POST['submit'];
}
else if {isset($_POST['submit']) and $_POST['submit']!= 'Login')
 $_SESSION['submit'] = $_POST['submit'];
 header('Location: login.htm');
}
$_POST['user'] = trim($_POST['user']);
if (isset($_POST['user']) and!empty($_POST['user'])) {
 $_SESSION['user'] = $_POST['user'];
}
$_POST['pass'] = trim($_POST['pass']);
if (isset($_POST['pass']) and!empty($_POST['pass'])) {
 $_SESSION['pass'] = $_POST['pass'];
}
if (!isset($_SESSION['submit']) or!isset($_SESSION['user']) or!isset($_SESSION['pass'])) {
 header('Location: login.htm');
}

I dont want to restrict people to alphanumeric usernames and passwords only, what types of things should I have my filter check for? Also, should I reject fields with them or render them harmless somehow? I have tried to come up with some ideas and so far I have:

<%
<?
<script
http:
hta
ftp:
file:
<meta
<link
<!--#

Also, I tried https in the action but it failed to load the page. I dont know much about it but im guessing I need a certificate for my server in order for it to work. Is there somewhere I can get a trusted free certificate?

>> but im guessing I need a certificate for my server

yes you do, I dont know of any free certs

You don't necessarily need https, it all depends on what you are protecting

Yeah, in this case its just for him to login and update basic content on his site. The most it will be securing is his email really.

What I am concerned about is the fact that I can execute scripts in the value attributes of my form input fields. If I can do that, someone else can enter scripts directly into the input field its self. When I was making that message board, it got quite complicated. I was being told that I had to html encode the data and enclose it in pre tags, remove spaces, convert tags. Is that all really necessary or is there a simpler way of taking care of malicious scripts and still allowing users to apply basic html styles and use symbols to make their name look better?

I think having an allowable set works for the most part

let them use b, colour and a few others

ban the rest

this way you create "expected input" and can disallow anything else

I think I just answered my own question. I need another coffee, lol.

I believe Any scripts entered into a form are executed first and then the resulting values are stored in the variables. I think this happens on the server side, so javascript could be used to police what they type in on the users side but it would be a waste of time because they can just turn off javascript.

I only need to filter their input when I use it as output. Since I am just going to compair the input against the database values, there is no risk there.

Would addslashes be sufficient when outputting their input to a database? Or is there filtering to be done first?

My opinion:

Filtering is >>>>>ALWAYS<<<<< needed! Never assume that the only person that is going to use your scripts is the owner.

If the info submitted by the user is only to contain letters, confirm it only contains letters and if not, show them an error and let them fix it. I use somethig along the lines of:

if(($username!= "") && (!LettersAndNumbersOnly($username)))
{
echo "ERROR: Username contains invalid characters.";
}

function LettersAndNumbersOnly($string)
{
$eregi = eregi_replace("([A-Za-z0-9 ]+)","",$string);
if(empty($eregi))
{
return true;
}
else
{
return false;
}
}

NOTE: the above function is for letters, numbers and spaces.

Like I said, it is my opinion and seems to be the opinion of the majority of coders.

Hope it helps.

Regards,
IamStang

Can you give me an example of the potential exploits you are attempting to filter out, which could be used in a login form?

How can it really be exploited?
eg:

$username = addslashes($_POST['username']); 
$userpass = addslashes($_POST['password']); 
$userpass = md5($password); 
$query = "select * from usertable where username='$username' and password='$password'";
$result = mysqli_query($connection, $query); 
if (mysqli_num_rows($result)!= 1) { 
 $error = "Login failed";
}

I can see the point with something like a registration script which is probably going to display the data back to the user and output it to a database but how can a login script be exploited?