Secure login system for php frameworks, applications and sites
These set of php routines are designed to allow php developers to easily secure a site or an application.
Based on the ideas and information written about in [Innocent Code] (http:///www.amazon.co.uk/Innocent-Code-Security-Wake-up-Programmers/dp/0470857447/ref=sr_1_1?ie=UTF8&s=books&qid=1266594625&sr=1-1) by the security consultant [Sverre H. Huseby] (http://shh.thathost.com/) the code attempts to make the site resilient against most forms of attack.
composer require w34u/ssp
-
Move vendor/w34u/ssp/cfg to version controlled part of your project, preferably outside the browser viewable part of your project.
-
Rename vendor/w34u/ssp/cfg/Configuration.change.php to Configuration.php and assign values to all the properties to do the database connection and secure your site.
-
Add "autoload": { "psr-4": { "w34u\\ssp\\": "cfg/" } }, to composer.json so that the configurations load and then run 'composer dumpautoload' to refresh the loader.
-
Move vendor/w34u/ssp/cfg/sspadmin to a browser viewable area and ensure sspadmin/includeheader.php requires the composer autoloader in vendor.
-
Point your favourite browser at sspadmin/setup and follow the instructions to create the database and your first admin login.
[Originally hosted on source forge for old versions] (https://sourceforge.net/projects/ssprotection/)
PHP >= 5.5 and up.
adodb/adodb-php >= 5.0
mbstring
mcrypt
- Sql injection.
- Invalid character injection in forms.
- Javascript injection in forms.
- Sesson theft.
- Session takeover.
- One forms out put being used into another.
- Designed to be used with ssl thus helping to prevent man in the middle type attacks.
- Basic joinup routine.
- Password recovery.
- User admin.
- User self admin.
- Fully templated using fast simple template class.
- Powerful (and paranoid) form building class.
- Data checking class.
- Useful lister and html menu list generation classes
- Works with php 5.0 upwards
- Uses database abstraction to work with most databases, has been used with MySql, Access and MS Sql Server.
- Multi lingual capability with browser language checking.
- Http or Https.
- Variable number of actals for ip checking.
- Fully configurable on types of checks to be done.
- Login by email or username.
- Extend the login for other user inputs.
- Error output either to screen or log file for live sites.