Dasher
06-11-2009, 06:03 PM
I am putting together a little CMS for a website just hand coding some PHP and MySQL. It seems to be working ok. Still need some tweaks on the display side.
I have a philosophical question. Since this is pretty basic, I created a table for storing a user name and encrypted password, another table for the content. When I create content a form comes up with entry for user name and password, and then you have additional inputs for titles, dates, and the actual content. (it uses an open source editor for the content.)
When the form is submitted it first checks to see that it is a valid username, and compares the password with the encrypted one using crypt(), once this is verified it goes ahead and inserts the data into the data base.
My question one of security, does this appear to be secure enough? Only I have access to the user and password table, and there will be a limited number of users. Seed values for the PW encryption are also stored there. One does not really log in, the security is checked one time when the form is submitted.
To create a user I enter my username and password and then the new username and password twice and the seed to create a new user. This undergoes the same checks .. am I a registered user, and if so insert the new user data. I suppose I could log the IP address, but that would require the user to be at the same location, and not mobile on a laptop.
I have a philosophical question. Since this is pretty basic, I created a table for storing a user name and encrypted password, another table for the content. When I create content a form comes up with entry for user name and password, and then you have additional inputs for titles, dates, and the actual content. (it uses an open source editor for the content.)
When the form is submitted it first checks to see that it is a valid username, and compares the password with the encrypted one using crypt(), once this is verified it goes ahead and inserts the data into the data base.
My question one of security, does this appear to be secure enough? Only I have access to the user and password table, and there will be a limited number of users. Seed values for the PW encryption are also stored there. One does not really log in, the security is checked one time when the form is submitted.
To create a user I enter my username and password and then the new username and password twice and the seed to create a new user. This undergoes the same checks .. am I a registered user, and if so insert the new user data. I suppose I could log the IP address, but that would require the user to be at the same location, and not mobile on a laptop.