User Management Explained: Overview

In this article we will look at how to create a secure user management module. No user authentication or user management script can ever be one hundred percent secure, but we can try to use the tools that are available to us to their maximum, and thereby make it difficult for malicious users to hack our scripts.

 Among the topics that we will be looking at are:

  • Data Validation

  • Password encryption methods

Data Validation

You’ve probably heard a lot about data validation if you’ve been developing websites for a while. Basically data validation involves making sure that the data is what you expect it to be. Most of the data that enters an application comes through an HTML form. This data is usually put into the form by a user.

Most websites will take some kind of user input, and contrary to popular belief, this data is not always accurate and can be downright be dangerous to your website and application. For this reason, you should not trust any data that comes from outside your application; in addition, you should make provisions for this kind of data by making sure that appropriate validation methods are available if a user does input "faulty" data. For example, take a look at the following form:


<?php

//validate data

//1. Check if the name field is filled in:

//2. Check if it is the correct length

//3.Check if it is valid i.e it contains only letters


if(isset($_POST['Submit'])){

$err=FALSE;

$error="<ul>";


if(empty($_POST['name'])){

$err=true;

$error .="<li>Please enter a name.</li>";

}

if((strlen($_POST['name']))< 8){

$err=true;

$error .="<li>Please enter a valid name.</li>";

}


if(!eregi(‘^[[:alpha:].’-]{2,8}$’,$_POST['name'])){

$err=TRUE;

$error="<li>The name should only contain letters.</li>";

}


if(empty($_POST['age'])){

$err=true;

$error .="<li>Please enter a age.</li>";

}


if(!is_numeric($_POST['age'])){

$err=true;

$error .="<li>The age that you entered is not a number. Please check and try again</li></ul>";

}




}//end submit



?>



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<title>Untitled Document</title>

<style type="text/css">

<!–

.style2 {font-size: 36px}

–>

</style>

</head>


<body>

<form id="form1" name="form1" method="post" action="form.php">

<table width="100%" border="1">

<tr>

<td colspan="2"><?php

if(isset($error)){

echo "<b>The following errors occurred:</b><br>".$error;

}

?></td>

</tr>

<tr>

<td colspan="2">&nbsp;</td>

</tr>

<tr>

<td colspan="2"><span class="style2">Please enter your name and age below: </span></td>

</tr>

<tr>

<td width="9%">&nbsp;</td>

<td width="91%">&nbsp;</td>

</tr>

<tr>

<td><strong>Name:</strong></td>

<td><label>

<input name="name" type="text" id="name" size="40" value="<?php

if(isset($_POST['name'])){

echo $_POST['name'];

}?>"/>

</label></td>

</tr>

<tr>

<td><strong>Age:</strong></td>

<td><label>

<input name="age" type="text" id="age" size="40" value="<?php

if(isset($_POST['age'])){

echo $_POST['age'];

}?>"/>

</label></td>

</tr>

<tr>

<td>&nbsp;</td>

<td><label>

<input type="submit" name="Submit" value="Submit" />

</label></td>

</tr>

</table>

</form>

</body>

</html>

{mospagebreak title=Form Explained}

The form above requires the user to input two pieces of information, a name and an age. We know that a name consists of letters (there are some exceptions) so we need to have some kind of validation method to ensure that the name is in the correct format. Secondly, assuming that the information entered by the user will be entered into some kind of storage mechanism, we need to make sure that the data is not empty. And finally, we might want the length of the name to be eight characters maximum.

The age is fairly simple. We know that the age of a person is numeric, so we expect numbers only, not letters. Assuming that the data entered by a user is going into a database, it would crash your script and possibly create a security vulnerability if the age that is entered is not a number. So it is important to check that the entered data is actually a number and not anything else. To do this we will use the is_numeric() function which checks to see if a given value is a number or not. Below is the portion of the page that puts the above in practice:


<?php

//validate data

//1. Check if the name field is filled in:

//2. Check if it is the correct length

//3.Check if it is valid i.e it contains only letters


if(isset($_POST['Submit'])){

$err=FALSE;

$error="<ul>";


if(empty($_POST['name'])){

$err=true;

$error .="<li>Please enter a name.</li>";

}

if((strlen($_POST['name']))< 8){

$err=true;

$error .="<li>Please enter a valid name.</li>";

}


if(!eregi(‘^[[:alpha:].’-]{2,8}$’,$_POST['name'])){

$err=TRUE;

$error="<li>The name should only contain letters.</li>";

}


if(empty($_POST['age'])){

$err=true;

$error .="<li>Please enter a age.</li>";

}


if(!is_numeric($_POST['age'])){

$err=true;

$error .="<li>The age that you entered is not a number. Please check and try again</li></ul>";

}




}//end submit



?>

{mospagebreak title=Script Explained}

To start with, the script lists the number of steps that you need to take when working with form data. The first step is of course to validate the form data. This includes:

  • Checking if the name field is filled in.

  • Checking if it is the correct length.

  • Checking if it is valid, i.e it contains only letters.

We can do this because we know what type of data we expect our application to be processing. Also we have put in some restrictions on the length that the name should be; in addition, we check to see if the value contains the right type of data. All of this is designed to ensure that any malicious user has a difficult time trying to carry out an attack.

//validate data

//1. Check if the name field is filled in:

//2. Check if it is the correct length

//3.Check if it is valid i.e it contains only letters


The code than checks to see if the form has been submitted:


if(isset($_POST['Submit'])){

Once the form has been submitted, the first checks are carried out. This includes checking to see if the values are empty. This is achieved by using the very useful empty() function:

$err=FALSE;

$error="<ul>";


if(empty($_POST['name'])){

$err=true;

$error .="<li>Please enter a name.</li>";

}

Then we check to see if the length of the name is eight characters long:

if((strlen($_POST['name']))< 8){

$err=true;

$error .="<li>Please enter a valid name.</li>";

}


The last check is to make sure that the value actually contains only letters. We use regular expressions (the eregi() function) to check:


if(!eregi(‘^[[:alpha:].’-]{2,8}$’,$_POST['name'])){

$err=TRUE;

$error="<li>The name should only contain letters.</li>";

}


The age of the user is put through almost the same checks. Since we are dealing with a number, one of the checks includes testing the value to see if it is actually numeric. The is_numeric() function is used for this purpose:


if(empty($_POST['age'])){

$err=true;

$error .="<li>Please enter a age.</li>";

}


if(!is_numeric($_POST['age'])){

$err=true;

$error .="<li>The age that you entered is not a number. Please check and try again</li></ul>";

}

 {mospagebreak title=Password Encryption Methods}

You should never store user passwords in plain text, because once a hacker accesses your database, it will make it easy for him or her to get hold of your user data. You are encouraged to scramble or encrypt your passwords before sending them to your database.

PHP offers a couple of methods that you can use to scramble a user’s password. One of them is one-way encryption. This basically means that a password cannot be decrypted once it is hashed. The other is to encrypt when sending them to the database, and to decrypt when retrieving them from the database. Of the two, the first one is the most secure, because hashed values are usually forty characters long and not easy to remember. PHP provides us with a function called SHA1() that calculates the hash of a string. This function takes a string parameter and has the following syntax:


SHA1(Stringparameter)


An example script might look something like this:


<?php

$string =’mystring';

echo "The hashed value for <b>".$string."</b> is: ".SHA1($string);

?>


Below is a screen shot of the results for the above script:


 

Now, let’s write the code that checks to see if a given value matches a hash string:


<?php

$string =’mystring';

echo "The hashed value for <b>".$string."</b> is: ".SHA1($string);


$hashedval = SHA1($string);


if(SHA1($hashedval) === ‘9ce3ea4d6fac2165933b3971e6d5a13753c7d878′) {

echo "The string matches the hash value";

}else{

echo "The string does not match the hashed value";

}

?>


The newly calculated value for the $string variable is stored in another variable called $hashedval. The second part of the code then tests the given hash value with the given string (mystring):


$hashedval = SHA1($string);


if($hashedval=== ‘9ce3ea4d6fac2165933b3971e6d5a13753c7d878′) {

echo "The string matches the hash value";

}else{

echo "The string does not match the hashed value";

}


In our next article, we will build a login system that will put into practice the topics we just discussed.

[gp-comments width="770" linklove="off" ]

chat