Jump to content

PHP password protected pages

rshadarack

By rshadarack
in PHP Coding Help

 Share

Recommended Posts

rshadarack Member

rshadarack

Posted
Posted
When creating a php login page, my first thought was to just have $username = "JoeSmith" and $password = "JoeSmith77" with a simple form which asks for input, then checks using these values. Then the page would reload itself, passing an "isValidUser" or something like that, and the same page would then show it's actual content. Since the php is always processed by the server and all php commands (besides output) are removed, I figured this would be secure. Then I go around looking an there are all these complex ways of password protecting a site. So is this not the case?

Basically, why is this not a secure way of password protection?
Link to comment
https://forums.phpfreaks.com/topic/12395-php-password-protected-pages/
Share on other sites
wildteen88 Regular Member

wildteen88

Posted
Posted
It depends on how you are storing your users details. Such as if you are storing your user details in a database then an experienced cracker can use SQL injection to login to your site as any user.

It is only safe if you validate user input and escape user input. Never use raw data being sent in from a form straight into an SQL query like so:
[code]SELECT * FROM users WHERE name='$_POST['name']' AND pass='$_POST['pass']'[/code]
Becuase if you do that then that is prone to SQL injection attacks. So a cracker can enter this into your username field:
[code]' OR 1=1 --[/code]
Now what will happen is rather than SQL checking whether the username and password match a user in the database, it'll select the first entry in the database. The chances are that the first person in the users table is an admin!
tobes Newbie

tobes

Posted
Posted
Is it safe to hash the password and compare it to the hash of the actual password before allowing access to the script?

Something like this?

loginform.html
[code]
<form method="post" action="checkpassword.php">
<input type="password" name="password">
<input type="submit" value="Enter">
</form>
[/code]

checkpassword.php
[code]
<?php
$hash = md5($_POST['password']);

if ($hash = "md5_of_the_actual_password") {
//proceed with contents of script here
}
else {
echo "Sorry. Wrong password.<br><a href="loginform.html">Go back.</a>";
}

?>
[/code]
rshadarack Member

rshadarack

Posted
  • Author
Posted
[!--quoteo(post=385762:date=Jun 19 2006, 03:25 PM:name=wildteen88)--][div class=\'quotetop\']QUOTE(wildteen88 @ Jun 19 2006, 03:25 PM) [snapback]385762[/snapback][/div][div class=\'quotemain\'][!--quotec--]
If its hardcoded into the script itself then it should be secure, but make sure you change the password once or twice a week, just incase.

I only gave you the database as an example.
[/quote]

Thanks.
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.