malikah Posted January 23, 2009 Share Posted January 23, 2009 First off, my knowledge in PHP is limited - be nice to me! I'm thinking of making a private page for my schoolwork but want to avoid using password form fields as I've heard there's a lot of work involved in making them secure. I was was thinking that I could just make the page accept arguments and pass them through the address bar (like a password). And seeing as PHP is parsed? No one would know that that page is accepting any arguments even if they viewed the source. Is this doable/safer? Link to comment https://forums.phpfreaks.com/topic/142186-avoid-using-password-field/ Share on other sites More sharing options...
gevans Posted January 23, 2009 Share Posted January 23, 2009 I wouldn't say it was safer, but if you were the only one seeing it you could add a huge random string after the url, but this would then be stored in thr browser. Realisticly if this stuff needs to be restricted you need some user management Link to comment https://forums.phpfreaks.com/topic/142186-avoid-using-password-field/#findComment-744827 Share on other sites More sharing options...
Mchl Posted January 23, 2009 Share Posted January 23, 2009 It's security by obscurity... not a way to go. Making a relatively secure login system is not that hard (and I doubt you'll have anyone really serious wanting to hack into your site). You just need to have your form secured against sql injection, and preferably limit the number of logins to let's say one per second per IP. Have a strong password (storing it as a salted hash couldn't hurt), and you should be fine. Link to comment https://forums.phpfreaks.com/topic/142186-avoid-using-password-field/#findComment-744837 Share on other sites More sharing options...
gevans Posted January 23, 2009 Share Posted January 23, 2009 The very quickest thing I can think for you is the following; <?php $realm = 'Restricted area'; //user => password $users = array('admin' => 'mypass', 'guest' => 'guest'); if (empty($_SERVER['PHP_AUTH_DIGEST'])) { header('HTTP/1.1 401 Unauthorized'); header('WWW-Authenticate: Digest realm="'.$realm. '",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"'); die('Text to send if user hits Cancel button'); } // analyze the PHP_AUTH_DIGEST variable if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) || !isset($users[$data['username']])) die('Wrong Credentials!'); // generate the valid response $A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]); $A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']); $valid_response = md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2); if ($data['response'] != $valid_response) die('Wrong Credentials!'); // ok, valid username & password echo 'Your are logged in as: ' . $data['username']; // function to parse the http auth header function http_digest_parse($txt) { // protect against missing data $needed_parts = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1, 'uri'=>1, 'response'=>1); $data = array(); preg_match_all('@(\w+)=(?[\'"])([^\2]+)\2|([^\s,]+))@', $txt, $matches, PREG_SET_ORDER); foreach ($matches as $m) { $data[$m[1]] = $m[3] ? $m[3] : $m[4]; unset($needed_parts[$m[1]]); } return $needed_parts ? false : $data; } ?> from php.net Link to comment https://forums.phpfreaks.com/topic/142186-avoid-using-password-field/#findComment-744841 Share on other sites More sharing options...
malikah Posted January 24, 2009 Author Share Posted January 24, 2009 Looks like I'll have some studying to do - Cheers. Link to comment https://forums.phpfreaks.com/topic/142186-avoid-using-password-field/#findComment-744858 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.