[DEV] New Usersystem

[Jack!]

Im working on another new usersystem, any updates i do to it will be posted here, so far its going good, the features i have are green, ones im doing are orange.

Features:
Login
Register
PM System
Profile
Profile About Me
Profile Comments
Profile avatars
Profile Editor
Community Page (Userlist, Recently updated profiles ect)
Contact Page (Done, just need to sort out the bit were it sends to your email)
Admin CP (Although i have done a basic CP in the config.php file)

Most of it is AJAX powered.

Any other features people would like to see?

So far the basic CP i have is built into the config.php file, it enables you to change the site name on every page, and the title.

Its done like this:

PHP Code:

//==============================================================================

define("WWW", "http://localhost/usersystem");    // URL to the usersystem, NO ENDING SLASH
$page['title'] = "ItsJack - ";                    // The beginning part of the page titles.

//============================================================================== 


So its simple to use, the layout is all done using CSS and therefore can be easily changed, it is MySQL powered and built using PHP

Any updates i do i will post in this thread.

And anyone who asks about it being released, im unsure when, and if i will charge for it.

Screenshots:

Home:



Profiles & Comments:



Mailbox Inbox:



Mailbox Send a PM:



Contact Form:

[HotelUser]

Good luck! How are you cleaning strings and storing passwords?

[Trigs]

Charge for it. I guarantee you that only a few people will use it for free, especially considering that there are lots of free usersystems already. You might as well be making some profit while you're doing it.

[Jack!]

Good luck! How are you cleaning strings and storing passwords?

Passwords are MD5 Encryped and stored into the database, and im using something like this:

PHP Code:

if(preg_match('/[a-z0-9]/i', $pusername)) { $valid = true; } else { header("location: register.php?error=2"); 


Different errors get different links, Again Ajax powered, buts thats from the register so i have one or two more different methods, depending on the page

and thanks Fazon, im not sure really,still thinking about it

UPDATE: I have gotten avatar uploading working, and i have started work on the user CP

[Trigs]

Don't just md5, it's easily cracked. Salt it too.

// change the salt to something totally random
$salt = 'hje!wf2';

$password = md5( $_POST['password'].$salt );

[HotelUser]

Don't just md5, it's easily cracked. Salt it too.

// change the salt to something totally random
$salt = 'hje!wf2';

$password = md5( $_POST['password'].$salt );

This might not be a bad idea at all, actually.

I tend to do

PHP Code:

$hashed = md5($salt + md5($password)); 


which I believe is something similar to vBulletin's setup. $salt would be stored in the user's row in my table and be different per user of course

[Trigs]

The salt is stored in the database though which I don't recommend. If someone hacks into your database (which is more likely than hacking your host), they have the salt. At least my way keeps the salt hidden.

[Jahova]

Pepper?

As people have said, MD5 is ok but not secure enough in my opinion. Maybe a different format of encryption or as people have said salt + MD5 and define the salt within the PHP.

[Apolva]

I often use something like:

PHP Code:

function hash($string=""){
     return md5("d".sha1("9wj(j3il".md5("82o&*£".$string))."2qiorjknq");
} 


[Blob]

I salt password strings like

md5( $username . $password . $salt );

where salt is

substr( md5( time() ), 0, 8 )

and stored in the users row