PHP password question

Need help with C, C++, perl, python, etc?

PHP password question

Postby Zriza » 2007-03-26 19:27

I would like to know, if It's safe to make a php-password script in your /var/www and use it like the "htpasswd" apache implemented password protection?

It's the "source reading" that makes me curious, if people could read it in there browser. Can people read the "source password" i've placed in the password file as php?

(IS IT SAFE, OR SHOULD I USE "HTPASSWD"??)

Thanks for the answers.
User avatar
Zriza
 
Posts: 82
Joined: 2006-08-25 18:23
Location: Copenhagen - Denmark

Postby SweetLou » 2007-04-03 02:36

Safe is a relative term, nothing is completely safe. If you put the password in the page you are viewing, then you won't be able to see the password when looking at the source, of course you know this since you can test it easily. But that doesn't mean it is safe. Firefox likes to download php files sometimes, a misconfigured webserver might try to have you download the file, then the user could easily see your password.
It would be safer to put the password in a separate file, outside of your world viewable directory or a database.
User avatar
SweetLou
 
Posts: 26
Joined: 2006-05-07 19:28

Postby thamarok » 2007-04-03 13:20

The best and most secure implementation of password storage is using a database in my opinion. Create a MySQL (or any other SQL) table containing the passwords you need to validate and then make a simple PHP script to test the user input against any password in the MySQL table; if OK, let the user go to the secret page, else redirect the user to a "password wrong" page.
thamarok
 

Postby begatelles » 2007-04-07 07:45

thamarok wrote:The best and most secure implementation of password storage is using a database in my opinion. Create a MySQL (or any other SQL) table containing the passwords you need to validate and then make a simple PHP script to test the user input against any password in the MySQL table; if OK, let the user go to the secret page, else redirect the user to a "password wrong" page.


In other words, doing things the right way. thumbs up! 8)
begatelles
 
Posts: 50
Joined: 2007-01-03 12:24

Postby sinical » 2007-04-07 07:50

And read up on SQL injections :)
Every cloud has a silver lining, except for the mushroom shaped ones, which have a lining of Strontium 90.
---------------------------------------------
umop apisdn
User avatar
sinical
 
Posts: 1022
Joined: 2007-03-25 11:52

Postby begatelles » 2007-04-07 08:06

sinical wrote:And read up on SQL injections :)


do those really ever work? :P :D
begatelles
 
Posts: 50
Joined: 2007-01-03 12:24

Postby sinical » 2007-04-07 08:12

begatelles wrote:
sinical wrote:And read up on SQL injections :)


do those really ever work? :P :D


Nah, they are totally make believe, like the toothfairy :)
Every cloud has a silver lining, except for the mushroom shaped ones, which have a lining of Strontium 90.
---------------------------------------------
umop apisdn
User avatar
sinical
 
Posts: 1022
Joined: 2007-03-25 11:52

Postby Pobega » 2007-04-07 13:35

Why not just use md5/sha1 hash? It's pretty safe in my experience.
Jabber: pobega@gmail.com
Pronunciation: Poh - Bay - Guh
User avatar
Pobega
 
Posts: 870
Joined: 2007-01-04 04:30
Location: New York

Postby thamarok » 2007-04-07 21:01

sinical wrote:
begatelles wrote:
sinical wrote:And read up on SQL injections :)


do those really ever work? :P :D


Nah, they are totally make believe, like the toothfairy :)
A simple SQL injection does work on pretty many websites that are not SQL injection-safe (that is, to remove the special characters before validating the input)..

I once hacked a website selling a commercial programming language.. believe me, it was just for fun. I had admin rights and I was able to download the software; I contacted the author of the website about this and guess what, he gave me a free copy of his programming language software 8)

But that was very long ago.. I wonder if I find the website again.. the program was BlisBasic or something like that :roll:
thamarok
 


Return to Programming

Who is online

Users browsing this forum: No registered users and 4 guests

fashionable