|Im new to php and have been didling around with a few hundred tutorials and came up with a idea for a web script thats a website where the index is a login page with some other content sort of like a portal. As well, the login to the script is protected by hashed passwords using salted md5 encryption for normal users thats stored in a php user account file and for users that are mods or admins, they'll be prompted with a second request for a password that is salted sha1 thats stored in a mysql database. It also will include a registration page that is accessed threw sha1 password different from any other user accounts password that is only known to the sites main admin so that he would be able to add, edit, remove, ban users- also to see other things im just not sure of what yet. (maybe be able to send private messages to users which have a user control panel where they can check the the messages, send messages, change password/email/etc) Each users salt hash will be different, most likely the script will take their ip and the current time will be used to create the salt. when the main admin logs into the registration page, that admin will be able to creat a custom link to send to users, and by custom i mean the admin can send it where that user can sign up as a admin or mod or even a regular user, a link that is only active for so long and accessible only once by the first person that uses it.|
The script will also make it impossible for anyone to access any part of the webpages unless signed in and have the correct permissions to access such page, include a file browser or index (file management) for admins and integrate the phpbb3 or other forum php software as well any other php scripting.
when users log in, of course the site will remember them and only require that user to log in once each time they visit with an option so said user can stay logged in, how ever admins or users prompted with the second password will only he able to stay logged in as long as their account is active from their ip address and if it changes they will he prompted by the sha1 password again.
basically securing it as much as possible too. ssl its encrypted, htaccess is of course blocked and set so attackers cant get to it and so it blocks access for users to the scripts files but still allowing them to use the site 100% without issue. hiding the php coding and making it so that when attackers try to access things that are not suppose to be accessed directly, its logged, sent ttobadmin as notification and bans user aggressively after 3 attempts to break in.
also thought about including a ftp client so that the users can have private place thats also encrypted to chat in.