PHP Login System Questions

I have read a lot of these but I have a few questions that I think aren't adequately a开发者_运维百科nswered. If there is a link, please refer me to it and I'll be grateful.

I have a PHP login system and it will be a community site where users will register and login. Now I need your help in these things:

1. What hashing algorithm is enough for most of sites (WP, Joomla, FB, et al)? simple MD5 with salt? or what?
2. What are attacks I have to deal with that are, apart form top secret sites, existing in community driven site (Juts list of them and may be short explanation of what they are)
3. What is the best among PDO and MySQLi (I saw PHP recommends the latter but I would like to hear from you guys)

Thanks a lot, Stefano

1. What hashing algorithm is enough for most of sites (WP, Joomla, FB, et al)? simple MD5 with salt? or what

You should use MD5 with a salt as a bare minimum. Ideally you should use a different hashing algorithm, as MD5 has been proven to be fairly insecure in comparison to other available algorithms. Have a look at the different available ones here hash(). Personally I would use SHA512, with a per-user salt.

Using a per-user salt means that any attacker who gets ahold of your database would have to crack the passwords on a per-user basis, rather than cracking them all at once.

2. What are attacks I have to deal with that are, apart form top secret sites, existing in community driven site

The main attacks would be SQL Injection attacks (either to steal a database, or to inject malicious code into your site). This can also be coupled with a Cross-Site Scripting attack, which could allow an attacker to place their own code onto your site (such a <script> tag), to infect users with viruses.

These two attacks can be mitigated by escaping any variables that are going into your database, and also stripping out any HTML (or special characters) in any user-submitted data.

3. What is the best among PDO and MySQLi

This question I will leave someone else to answer - I'm not as clued up on the differences.

Hope this helps

2) You need to be particularly careful of SQL Injection attacks and XSS (Cross Site scripting). See https://www.owasp.org/index.php/OWASP_Top_Ten_Project for more attack vectors.

3) I've only used MySQLi but thought it was a decent library

I don't think MD5 is very good, hence this MD5 decoder: http://www.md5decrypter.com/

Personally, I use SHA1. The SHA1 decoder I found online does not work. Some say that SHA1 is slower but I cannot understand why you would care if you are just using it for logging in.

Mysqli should prevent injection attacks.

Be sure not to give away too much information on failed log in attempts. Example of bad: "We recognize your username but your password is incorrect" Example of good: "The username and password do not match" --> use this for all failed logins, even if the username is NOT in the database.