Jump to content


Photo

PHP password protected pages


  • Please log in to reply
6 replies to this topic

#1 rshadarack

rshadarack
  • Members
  • PipPip
  • Member
  • 29 posts

Posted 19 June 2006 - 05:08 PM

When creating a php login page, my first thought was to just have $username = "JoeSmith" and $password = "JoeSmith77" with a simple form which asks for input, then checks using these values. Then the page would reload itself, passing an "isValidUser" or something like that, and the same page would then show it's actual content. Since the php is always processed by the server and all php commands (besides output) are removed, I figured this would be secure. Then I go around looking an there are all these complex ways of password protecting a site. So is this not the case?

Basically, why is this not a secure way of password protection?

#2 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 19 June 2006 - 05:19 PM

It depends on how you are storing your users details. Such as if you are storing your user details in a database then an experienced cracker can use SQL injection to login to your site as any user.

It is only safe if you validate user input and escape user input. Never use raw data being sent in from a form straight into an SQL query like so:
SELECT * FROM users WHERE name='$_POST['name']' AND pass='$_POST['pass']'
Becuase if you do that then that is prone to SQL injection attacks. So a cracker can enter this into your username field:
' OR 1=1 --
Now what will happen is rather than SQL checking whether the username and password match a user in the database, it'll select the first entry in the database. The chances are that the first person in the users table is an admin!

#3 tobes

tobes
  • New Members
  • Pip
  • Newbie
  • 5 posts
  • LocationNH

Posted 19 June 2006 - 06:21 PM

Is it safe to hash the password and compare it to the hash of the actual password before allowing access to the script?

Something like this?

loginform.html
<form method="post" action="checkpassword.php">
<input type="password" name="password">
<input type="submit" value="Enter">
</form>

checkpassword.php
<?php
$hash = md5($_POST['password']);

if ($hash = "md5_of_the_actual_password") {
//proceed with contents of script here
}
else {
echo "Sorry. Wrong password.<br><a href="loginform.html">Go back.</a>";
}

?>


#4 Orio

Orio
  • Staff Alumni
  • Advanced Member
  • 2,491 posts

Posted 19 June 2006 - 06:48 PM

It's more secure. But you need to store the passwords in the DB in their md5 form too.

Orio.
Think you're smarty?

(Gone until 20 to November)

#5 rshadarack

rshadarack
  • Members
  • PipPip
  • Member
  • 29 posts

Posted 19 June 2006 - 06:59 PM

I don't understand the need for a database. I am only creating access to 1, possibly 2 users. Is there any danger if I hardwire the password into the php script?

#6 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 19 June 2006 - 07:25 PM

If its hardcoded into the script itself then it should be secure, but make sure you change the password once or twice a week, just incase.

I only gave you the database as an example.

#7 rshadarack

rshadarack
  • Members
  • PipPip
  • Member
  • 29 posts

Posted 20 June 2006 - 03:21 AM

[!--quoteo(post=385762:date=Jun 19 2006, 03:25 PM:name=wildteen88)--][div class=\'quotetop\']QUOTE(wildteen88 @ Jun 19 2006, 03:25 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
If its hardcoded into the script itself then it should be secure, but make sure you change the password once or twice a week, just incase.

I only gave you the database as an example.
[/quote]

Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users