Jump to content

Archived

This topic is now archived and is closed to further replies.

rshadarack

PHP password protected pages

Recommended Posts

When creating a php login page, my first thought was to just have $username = "JoeSmith" and $password = "JoeSmith77" with a simple form which asks for input, then checks using these values. Then the page would reload itself, passing an "isValidUser" or something like that, and the same page would then show it's actual content. Since the php is always processed by the server and all php commands (besides output) are removed, I figured this would be secure. Then I go around looking an there are all these complex ways of password protecting a site. So is this not the case?

Basically, why is this not a secure way of password protection?

Share this post


Link to post
Share on other sites
It depends on how you are storing your users details. Such as if you are storing your user details in a database then an experienced cracker can use SQL injection to login to your site as any user.

It is only safe if you validate user input and escape user input. Never use raw data being sent in from a form straight into an SQL query like so:
[code]SELECT * FROM users WHERE name='$_POST['name']' AND pass='$_POST['pass']'[/code]
Becuase if you do that then that is prone to SQL injection attacks. So a cracker can enter this into your username field:
[code]' OR 1=1 --[/code]
Now what will happen is rather than SQL checking whether the username and password match a user in the database, it'll select the first entry in the database. The chances are that the first person in the users table is an admin!

Share this post


Link to post
Share on other sites
Is it safe to hash the password and compare it to the hash of the actual password before allowing access to the script?

Something like this?

loginform.html
[code]
<form method="post" action="checkpassword.php">
<input type="password" name="password">
<input type="submit" value="Enter">
</form>
[/code]

checkpassword.php
[code]
<?php
$hash = md5($_POST['password']);

if ($hash = "md5_of_the_actual_password") {
//proceed with contents of script here
}
else {
echo "Sorry. Wrong password.<br><a href="loginform.html">Go back.</a>";
}

?>
[/code]

Share this post


Link to post
Share on other sites
It's more secure. But you need to store the passwords in the DB in their md5 form too.

Orio.

Share this post


Link to post
Share on other sites
I don't understand the need for a database. I am only creating access to 1, possibly 2 users. Is there any danger if I hardwire the password into the php script?

Share this post


Link to post
Share on other sites
If its hardcoded into the script itself then it should be secure, but make sure you change the password once or twice a week, just incase.

I only gave you the database as an example.

Share this post


Link to post
Share on other sites
[!--quoteo(post=385762:date=Jun 19 2006, 03:25 PM:name=wildteen88)--][div class=\'quotetop\']QUOTE(wildteen88 @ Jun 19 2006, 03:25 PM) [snapback]385762[/snapback][/div][div class=\'quotemain\'][!--quotec--]
If its hardcoded into the script itself then it should be secure, but make sure you change the password once or twice a week, just incase.

I only gave you the database as an example.
[/quote]

Thanks.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.