Im working on another new usersystem, any updates i do to it will be posted here, so far its going good, the features i have are green, ones im doing are orange.

Features:
Login
Register
PM System
Profile
Profile About Me
Profile Comments
Profile avatars
Profile Editor
Community Page (Userlist, Recently updated profiles ect)
Contact Page (Done, just need to sort out the bit were it sends to your email)
Admin CP (Although i have done a basic CP in the config.php file)

Most of it is AJAX powered.

Any other features people would like to see?

So far the basic CP i have is built into the config.php file, it enables you to change the site name on every page, and the title.

Its done like this:


//================================================== ============================

define("WWW", "http://localhost/usersystem"); // URL to the usersystem, NO ENDING SLASH
$page['title'] = "ItsJack - "; // The beginning part of the page titles.

//================================================== ============================


So its simple to use, the layout is all done using CSS and therefore can be easily changed, it is MySQL powered and built using PHP

Any updates i do i will post in this thread.

And anyone who asks about it being released, im unsure when, and if i will charge for it.

Screenshots:

Home:

http://www.itsjack.info/user5.png

Profiles & Comments:

http://www.itsjack.info/user3.png

Mailbox Inbox:

http://www.itsjack.info/user2.png

Mailbox Send a PM:

http://www.itsjack.info/user1.png

Contact Form:

http://www.itsjack.info/user4.png

Good luck! How are you cleaning strings and storing passwords?

Charge for it. I guarantee you that only a few people will use it for free, especially considering that there are lots of free usersystems already. You might as well be making some profit while you're doing it.

Good luck! How are you cleaning strings and storing passwords?

Passwords are MD5 Encryped and stored into the database, and im using something like this:


if(preg_match('/[a-z0-9]/i', $pusername)) { $valid = true; } else { header("location: register.php?error=2");
Different errors get different links, Again Ajax powered, buts thats from the register so i have one or two more different methods, depending on the page

and thanks Fazon, im not sure really,still thinking about it

UPDATE: I have gotten avatar uploading working, and i have started work on the user CP

Don't just md5, it's easily cracked. Salt it too.

// change the salt to something totally random
$salt = 'hje!wf2';

$password = md5( $_POST['password'].$salt );

Don't just md5, it's easily cracked. Salt it too.

// change the salt to something totally random
$salt = 'hje!wf2';

$password = md5( $_POST['password'].$salt );

This might not be a bad idea at all, actually.

I tend to do



$hashed = md5($salt + md5($password));


which I believe is something similar to vBulletin's setup. $salt would be stored in the user's row in my table and be different per user of course :P

The salt is stored in the database though which I don't recommend. If someone hacks into your database (which is more likely than hacking your host), they have the salt. At least my way keeps the salt hidden.

Pepper?

As people have said, MD5 is ok but not secure enough in my opinion. Maybe a different format of encryption or as people have said salt + MD5 and define the salt within the PHP.

I often use something like:



function hash($string=""){
return md5("d".sha1("9wj(j3il".md5("82o&*£".$string))."2qiorjknq");
}

I salt password strings like

md5( $username . $password . $salt );

where salt is

substr( md5( time() ), 0, 8 )

and stored in the users row

Can I just input here, how is MD5 "not secure"? It's only the fools who put dictionary words as their passwords that are going to be effected.

If you forced them to set a password with even one character of punctuation it's going to make cracking the password take a whole lot longer (IMO people should be forced to do this, just my 2c)

Can I just input here, how is MD5 "not secure"? It's only the fools who put dictionary words as their passwords that are going to be effected.

If you forced them to set a password with even one character of punctuation it's going to make cracking the password take a whole lot longer (IMO people should be forced to do this, just my 2c)

Currently the password has to be longer than 6 charaters i think. i may add the salt, but im not right now,MD5 should be fine.

UPDATE: User CP is almost done. About me editing is done, Including BB Code. Show and hide DoB, Email, and Name is working. change password is done, and change email is done.

Just make sure you cover all the exploits.

Can I just input here, how is MD5 "not secure"? It's only the fools who put dictionary words as their passwords that are going to be effected.

If you forced them to set a password with even one character of punctuation it's going to make cracking the password take a whole lot longer (IMO people should be forced to do this, just my 2c)

Agreed Tom, and it only takes a little elbow grease to implement too :)



Currently the password has to be longer than 6 charaters i think. i may add the salt, but im not right now,MD5 should be fine.

UPDATE: User CP is almost done. About me editing is done, Including BB Code. Show and hide DoB, Email, and Name is working. change password is done, and change email is done.

Excellent stuff. Especially interested in what you said about bbcode. Do you have a WYSIWYG bbcose editor?

Agreed Tom, and it only takes a little elbow grease to implement too :)




Excellent stuff. Especially interested in what you said about bbcode. Do you have a WYSIWYG bbcose editor?

Currently the BBCode has to be added manually, [br] ect, i may add a wysiwyg editor, just want to get everything working first. Also may be overhauling the PM system, seems a lil buggy using ajax.

I salt password strings like

md5( $username . $password . $salt );

where salt is

substr( md5( time() ), 0, 8 )

and stored in the users row
Your salt is dynamic based on a number that will never happen again? Good luck with that.

@ OP, is there any reason why you swap between constants and variables? Do you know the difference and when each should be used properly?

Your salt is dynamic based on a number that will never happen again? Good luck with that.


and stored in the users row

Cheers for the good luck.

Cheers for the good luck.
But surely if your database is compromised, storing the salt with the user row makes it easier to run a dictionary attack. Your method of generating numbers seems to be crazy inefficient anyway, just use a random.

But surely if your database is compromised, storing the salt with the user row makes it easier to run a dictionary attack. Your method of generating numbers seems to be crazy inefficient anyway, just use a random.

Same with vBulletin though, they store a salt in the user database too.

Not quite sure why I did it in the first place, I was talking to another developer at the time who told me how he does his.

Same with vBulletin though, they store a salt in the user database too.

Not quite sure why I did it in the first place, I was talking to another developer at the time who told me how he does his.

vBulletin coding isn't exactly amazing.

Whoever the other develop is must be pretty bad. The whole point of a salt is to render the password useless if your database is compromised. If you use something secure like SHA256 (not MD5) with a salt, the password would practically be impossible to crack. If your salt is known, it makes it easier.

Whoever the other develop is must be pretty bad. The whole point of a salt is to render the password useless if your database is compromised. If you use something secure like SHA256 (not MD5) with a salt, the password would practically be impossible to crack. If your salt is known, it makes it easier.

Thats why ive not added salt yet, and if i do i would never add it into the database

Don't store the ******* salt in the ******* database. Just don't. Doesn't matter if vB does it. Just generate the salt in the php code and keep it there. Like I said before, if your database gets hacked, at least the hacker doesn't have access to the salt. It's much easier to get access to a database than it is to get access to your hosting account/panel.

might release the code soon for everyone to go over, because it looks like i might be starting again with another developer to make it better :P

To be honest you should just salt your password in the filesystem before inserting it into the database.
Something I just had a quick think about, what about salting the username and password with the string length of the username?

Simple salting method


// grab length of username
$usernameLen = strlen($username);

// concatonate username, password and username length then sha1 them.
$passwordSalt = sha1($username . $password . $usernameLen);


The algorithm is the same but no salt is effectively stored in the database, meaning nobody would know your algorithm without knowing your filesystem. The beauty of this is that the salt will differ depending on the length of the username.

To be honest you should just salt your password in the filesystem before inserting it into the database.
Something I just had a quick think about, what about salting the username and password with the string length of the username?

Simple salting method


// grab length of username
$usernameLen = strlen($username);

// concatonate username, password and username length then sha1 them.
$passwordSalt = sha1($username . $password . $usernameLen);


The algorithm is the same but no salt is effectively stored in the database, meaning nobody would know your algorithm without knowing your filesystem. The beauty of this is that the salt will differ depending on the length of the username.

Abit of extra security, sure, but then whenever you change a user's username you'd also be forced to update their password as well.

Abit of extra security, sure, but then whenever you change a user's username you'd also be forced to update their password as well.
Yes indeed, I was just giving an example of a simple salting method that works better than storing the salt in the database :P

It isn't ideal to use salt characters that can change, of course, but using a salt that doesn't require storing is much preferred :P

Your names *REMOVED*? No way?

Edited by Nicola (Forum Super Moderator): Please do not post private information without consent of the other forum member.

Your names *REMOVED*? No way?

eh, yes :P how you find that out? im guessing i put it in the usersystem somewhere them :P

Why?

EDIT: Found it, one of the screenshots :P

*Removed* admins . super mod w/e had a go at me, its in the screenie ye :D

Edited by Recursion (Forum Moderator): Please do not be rude to other forum members, staff included. Thanks.

*Removed* admins . super mod w/e had a go at me, its in the screenie ye :D

Edited by Recursion (Forum Moderator): Please do not be rude to other forum members, staff included. Thanks.

Aha yeah, and i need to do an update so:

Update: The system is far from done, but it has been scrapped, and we are working on a new one, if anyone wants the old one drop me a PM

Pretty sure I've seen this usersystem before?

Pretty sure I've seen this usersystem before?

Dont think so, was coded from scratch, unless you mean the other one that has the same css that i was selling?

Dont think so, was coded from scratch, unless you mean the other one that has the same css that i was selling?

From what I've seen your CSS looks pretty unique :)

From what I've seen your CSS looks pretty unique :)

Thanks :)

New usersystem is going really well, we have got the new systems working fine, although this one is going to be based for our site, it has everything this one does, but improved upon, and admin backend, also some other bits that im not telling yet ;)

Once we have completed this i will be posting the site, so something to look forward to :)

- Also, ive had a few requests for the old usersystem, i will only be giving it to members i deem trust worthy, dont want anyone trying to sell it