Dream.In.Code > Programming Help > PHP

Welcome to Dream.In.Code
	Getting PHP Help is Easy! Join 132,666 PHP Programmers for FREE! Get instant access to thousands of PHP experts, tutorials, code snippets, and more! There are 1,162 people online right now. Registration is fast and FREE... Join Now! Chat LIVE With a PHP Expert

Security?

Reply to this topic

Start new topic

Security?

ą__	5 Aug, 2007 - 09:40 AM Post #1
New D.I.C Head Joined: 5 Aug, 2007 Posts: 5 My Contributions	Hi, I'm very new to php and i was messing around trying to create a password script, and i end up with this: index.html contains CODE <html> <body> <form action="login.php" method="post"> password: <input type="text" name="password" /> <input type="submit" /> </form> </body> </html> login.php contains CODE <?php $password = "pass"; if (isset($_POST["password"]) && ($_POST["password"]=="$password")) header('Location:loggedin.php'); else header('Location:wrongpass.php'); ?> and then wrongpass.php and loggedin.php both contain just the words 'yes' and 'no', so i was pretty proud that i did it by myself and showed a friend. he said it was insecure, but i cant see how this is insecure, could someone tell me if this is secure or not? and if its insecure, how can i make it secure? last thing, if theres a simpler way to make something similair to this without sql or anything, i'd be grateful if someone could show me thanks
	This Post Was Helpful! ^New!


Register for Free to Make These Ads Go Away!

snoj	5 Aug, 2007 - 09:48 AM Post #2
$Null Joined: 31 Mar, 2003 Posts: 3,304 Thanked 5 times Dream Kudos: 700 My Contributions	It's insecure since you're not setting up a session (and logging it) to keep track if a user is valid on other pages.
	This Post Was Helpful! ^New!

PsychoCoder	5 Aug, 2007 - 09:49 AM Post #3
using DIC.Core; Joined: 26 Jul, 2007 Posts: 8,933 Thanked 118 times Dream Kudos: 8525 Expert In: VB, VB.Net, C#, SQL, ASP, ASP.Net, Web Development, HTML, CSS, Win32 API, Javascript, mySQL, J#, Boo.Net My Contributions	First welcome to </dream.in.code> ą__, glad you could join us. I believe your friend said its not secure as you have the password in the page itself, all someone has to do is get access to that page and they know the password. Given that you are new to PHP dont let what he said bother you, you got it to work now you need to work on making it better. All usernames and password should be stored in a database (mySQL preferred for PHP) and when the user login in check what they enter against whats in the database for that user, thus the password is never in plain text on the page. I wrote a snippet that shows how to create a simple login system, then manage the logins with Sessions. Here is a link to it: Managing Logins With Sessions Hope this puts you on the right path Happy Coding!
	This Post Was Helpful! ^New!

ą__	5 Aug, 2007 - 12:06 PM Post #4
New D.I.C Head Joined: 5 Aug, 2007 Posts: 5 My Contributions	oh great thanks, and thanks for the welcome how would someone get the page? i thought that php shows invisible in view source? and for this little code i just wanted to password protect it rather than set up a user login type thing.. sorry if it seemed i meant it that way.. and thanks for the sessions in php code, im definatley gunna check that out now EDIT just had a quick look! seems a bit complex >< guess i got a lot of googling to do EDIT AGAIN oooh i see what you mean! so, with sessions, people can ONLY view it if they're logged in.. however my way, they can just view the page if they have the url. ok, got it.. but i still dont see how someone could gain access to the php file This post has been edited by ą__: 5 Aug, 2007 - 12:09 PM
	This Post Was Helpful! ^New!

PsychoCoder	5 Aug, 2007 - 12:24 PM Post #5
using DIC.Core; Joined: 26 Jul, 2007 Posts: 8,933 Thanked 118 times Dream Kudos: 8525 Expert In: VB, VB.Net, C#, SQL, ASP, ASP.Net, Web Development, HTML, CSS, Win32 API, Javascript, mySQL, J#, Boo.Net My Contributions	QUOTE(ą__ @ 5 Aug, 2007 - 01:06 PM) but i still dont see how someone could gain access to the php file There are many ways they can gain access to the page with the hard coded password in it. Storing your password in plain text in the page itself is never a good idea.
	This Post Was Helpful! ^New!

ą__	5 Aug, 2007 - 01:07 PM Post #6
New D.I.C Head Joined: 5 Aug, 2007 Posts: 5 My Contributions	where should i store it?
	This Post Was Helpful! ^New!

snoj	5 Aug, 2007 - 01:29 PM Post #7
$Null Joined: 31 Mar, 2003 Posts: 3,304 Thanked 5 times Dream Kudos: 700 My Contributions	Not so much as where as how. You could simply store an md5 hash of the password(s) in a string or array variable in the PHP code.
	This Post Was Helpful! ^New!

Fast Reply

Reply to this topic

Start new topic

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Time is now: 11/23/08 05:51AM

Invision Power Board v2.1.7 © 2008 IPS, Inc.

Licensed to: MediaGroup1

Advertising | Terms of Use | Privacy Policy | About Us | Site Map

Forum Index: Programming Help | C and C++ | Visual Basic | Java | VB.NET | C# | ASP.NET | PHP | ColdFusion | Perl and Python | Ruby | Databases | Other Languages | Game Programming | Software Development | Computer Science | Industry News | Programming Tutorials | C++ Tutorials | Visual Basic Tutorials | Java Tutorials | VB.NET Tutorials | C# Tutorials | PHP Tutorials | Linux Tutorials | ColdFusion Tutorials | Windows Tutorials | HTML/JavaScript Tutorials | CSS Tutorials | Flash Tutorials | Web Promotion Tutorials | Photoshop Tutorials | Software Development Tutorials | Database Tutorials | Other Language Tutorials |

Copyright 2001-2008 MediaGroup1 LLC, All Rights Reserved
A MediaGroup1 LLC Production - Version 6.0.2.1.36

Search^Updated!w00t

Over 509,000 Pages! Advanced Forum Search

Live PHP Help!

PHP Tutorials

Reference Sheets

PHP Snippets

Bye Bye Ads

Free DIC T-Shirt

T-Shirt Example

Related Sites

Monthly Drawing

Partners

Top Contributors

Top 10 Kudos This Month