That depends on what you mean by security. If you mean security due to financial or some other form of sensitive information then you need to get a certificate from some secure site such as godaddy.com. You then exchange that with the client once they provide proper login information which is usually stored in a mysql database. You then need to check everytime they request a page and make sure the IP address is the same, otherwise you need to force them to login. If you don't need to go as far as that and you just mean secure to the point of identifying people and associating content with a certain user, then using session variables is enough. Use a mysql database once again to store their information like their username and password. Run a check against that when they log in. You can set a session variable equal to something and check that on every page to make sure they are logged in. If you can be more specific I can help you more, I have done this kind of thing before. I have developed a page that may be something of what you are talking about <snipped>. It has all of the forgot password register and login pages. I don't send an e-mail confirmation, but I do send an e-mail on forgot password. Let me know if I can help more. Note: this site is not the https I was talking about with a certificate. That is a whole different ball of wax.

[edited by: coopster at 8:21 pm (utc) on Dec. 16, 2008]
[edit reason] no personal urls please TOS [webmasterworld.com] [/edit]

Thanks for the reply.
I'm not planning to use the https protocol (for now :).
I do believe it's much simpler (for somebody who knows what their doing).

I kind of figured out how to make a confirmation mail.
I generate a random number, put it in a get variable inside a link in the mail, retrieve it, compare it etc...
(Is this ok?)

What I'm not actually sure of is what is the purpose of a md5 encrypted password stored in a database?
Why not just store as plain text?

Your confirmation e-mail sounds exactly right. The MD5 purpose is usually used for large corporations because a DBA can see the passwords saved in a database. If you store them with MD5 then that DBA can access user's password but it will look like a random string and thus the DBA can only see the encrypted version. If your not worried about anyone being able to view your database information then storing them as text is fine. Since there is no decryption for MD5 if you store them that way, then when you check a username and password you have to check the MD5 versions. i.e.
$pw = md5($_POST['password']);
$un = md5($_POST['username']);
$query = "select password from users where username = {$un};";
if(!$pw==row['password']){
//the login is bad
}
else{
//redirect them to the page they requested
}
this is assuming in your database you have stored the username and passwords with the md5 encryption. once again if this is just you managing it and you are running your own MySQL server then you probably don't need to worry about md5.

Keep shooting me posts and I can walk you through this on as basic of a step by step as you need.

I have one more question (for now).
It involves the forgotten password (or e-mail confirmation) feature.

Let's say i store the random number for the confirmation (or fpass) in a separate table only for those numbers.
(Don't know if it's a good approach?)

How do I set the automatic deletion of the number if the user doesn't click the link (in 24 hours, for example)?

Thanks for Your help andrewsmd.

There are a few ways to go about this. You can implement time checks with mysql but they are very messy and I like to use mysql as little as possible. So how I would do it is with a unix timestamp from php. This is just pseudo mind you
have a table that is structured something like this
id ¦ username ¦ randomLink ¦ password ¦ unixTime ¦

when they enter their e-mail address in the forgot password form remove them from your users and enter their information into the forgot password table along with the unix time of when they submitted
a unix time stamp is the number in seconds after some year (like 1970 somthing) anyways 24 hours would be 60 * 60 * 24 (seconds minutes hours). so when the user clicks on their random link then you could store that link into a session variable and redirect them to a password reset form.
once they reset their password you can select from that table where the link in the session variable matches the link in the table and it is not less than the current unix time minus 60 * 60 *24 that would be minus one day. If it's greater than that then they did not click it in time. Also I would schedule a script to run every hour to go through that table and take anything a day old and re insert it back into your user table. Let me know if you need more specifics
I know there is mysql syntax to look for stuff based on time but I don't know it at all. Like I said I like to use as much PHP as possible

>> Since there is no decryption for MD5 if you store them that way

MD5 encryption by itself is not as safe as it should be anymore, and therefore it is recommended to also add a random seed to the password you are encrypting. For instance, let's say this is what you are putting into the database:

md5($password.'some_seed');

This ensures that even if the password is a common word that a reverse look-up of the encrypted string cannot be found. Of course, your seed has to be kept the same throughout otherwise you will not be able to compare the password when entered.

It seems like a good idea using the unix time stamp, but if it happens so that there are a lot of users (or bots) trying to register I could have my table get filled up with unnecessary data.

Is there a way to periodically to delete such data?

I wonder how it's done on a forum system.

Does anybody know?

Assuming that you have stored a unix timestamp in your table that holds your form information then you can create a php script like this.

//the current time
$timeStamp = date("H,i,s,m,d,Y");

//the current time in unix
$time = mktime($timeStamp);

//change this to the number of days before
//the current day that
//you want to keep things.
$numOfDays = 1;

$timePlusOneDay = $time + 60 *60 * 60 * $numOfDays;

//this will remove anything older than a day
//just add * # of days to the previous variable
//to add more days i.e. 10 days would be
//$time + 60 * 60 * 60 * 24 * 10
$query = ("delete from table where columnUnixTime < {$timePlusOneDay};";

connect with that query and tada! everything older than one day is gone.

>>>connect with that query and tada

that would mean i would have to regularly maintain the database manually?

I was under the impression you already had a MySQL database. Have you not read any of my other posts. They have mentioned mysql multiple times. How else were you planning on storing your user data. What I means is if john.smith logs in how are you going to know what his password is and what to associate with john.smith? If you have a PHP server, setting up a mysql database is not really that hard. Just google a how to

I do have one :D
How did you get the impression that I don't?

I have posted another topic related to this.

>>that would mean i would have to regularly maintain the database manually<<

If You are referring to this above, I am looking for something to do the lookup and erase unnecessary table rows by itself.

That means that it has to be triggered by itself, not by a user action.

p.s.
>>connect with that query and tada<<

I'm trying to find something (possibly a cron job?) to do that by itself, in a given time interval.

I apologize, I misunderstood what you meant. If you are running a linux box then it is cron, if you are running windows then you would just use windows scheduler to schedule the job. Basically you create a PHP file that does the sql you need it to and schedule it. I run a windows apache box so I can't tell you exact syntax on cron, but I can give you a step by step to schedule it in windows. Let me know.

I am doing it on a shared host, as I mentioned it in that other topic :).

Any ideas maybe?

You can schedule it from your machine locally are you running a windows machine yourself?

Yes, but i don't quite get what you mean by that.

I know there must be some kind of feature in MySql that allows something like that.

As I said earlier, you may want to put a MySQL post to look for a trigger or stored procedure I'm not a MySQL guy. What I was going to mention is on your windows machine locally you can create a batch file with this syntax

XP IE user
start iexplore www.someaddress.com
ping -n 60 127.0.0.1
taskkill /f /im iexplore.exe

XP Firefox user
start firefox www.someaddress.com
ping -n 60 127.0.0.1
taskkill /f /im firefox.exe

Vist IE user

XP IE user
start iexplore.exe www.someaddress.com
ping -n 60 127.0.0.1
taskkill /f /im iexplore.exe

Vista Firefox user

XP IE user
start firefox.exe www.someaddress.com
ping -n 60 127.0.0.1
taskkill /f /im firefox.exe

save that in notepad as wateveryouwant.bat make sure it has a .bat extension (the icon will look like two little gears).
www.someaddress.com is the address of the php file you created that cleans out your mysql table
Then go control panel scheduled tasks and schedule that file to run as often as you want. the ping -n 60 127.0.0.1 is just to pause to let the script run change the 60 to higher or lower to make it wait longer or less.

I'll save this for future reference.
Thanks andrewsmd, you're a kind man. :D

Hi,

MySql 5.1 has an Event Feature that seems to be like MSSQL's Job Scheduler. Might wanna check into that...

I found this example on mysql's site:

CREATE EVENT 
e  /* Event name */ 
ON SCHEDULE 
EVERY 1 WEEK  /* Interval */ 
DO 
INSERT INTO t VALUES (0); /* SQL statement */ 

-M. Cold