A few security questions

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
zxkelxz
Forum Newbie
Posts: 11
Joined: Wed Dec 22, 2010 9:17 am

A few security questions

Post by zxkelxz »

Back again with some security questions:

1. I've hard coded my MySQL login into my .PHP file. Is this secure? Are users unable to download .PHP file from the server they are located on so not to view the information?

2. Using an html form for the user to login. However I use $_POST to retrieve the information on the next page is there a way to MD5 hash the password sent to the next page or is it safe to keep it the way it is?

Thanks in advance guys and girls, you have been a big help so far.
phphelpme
Forum Contributor
Posts: 261
Joined: Sun Nov 21, 2010 3:32 pm

Re: A few security questions

Post by phphelpme »

answer 1.

yes, this is perfectly normal and when you view the code of a page you only see html and not php. So if you are assigning your database login values to string variables then call them then thats fine.

answer 2.
if your user is typing there username and password in to the form, if they get it wrong then they only see what they type, and if they have the correct details then there in anyway but using the POST and GET functions are very normal so you are ok anyway.

When converting to md5 hash you can not revert it back, but if you convert it to md5 at the user account creation stage then save the md5 hash to the database, then when the user types in the details, you convert again to md5 hash before cross checking with your database then that would work just fine.

Hope this helps.
Last edited by phphelpme on Thu Dec 30, 2010 7:31 pm, edited 1 time in total.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: A few security questions

Post by social_experiment »

zxkelxz wrote:2. Using an html form for the user to login. However I use $_POST to retrieve the information on the next page is there a way to MD5 hash the password sent to the next page or is it safe to keep it the way it is?
You can look into using Javascript to hash the values so that viewing the source reveals only a hashed value instead of the plain text one. Because PHP is server-side scripting, you will still send a plaintext password to the server before it is modified by MD5. Look into SSL, it is a secure connection and more information can be found here : http://www.google.co.za/search?hl=af&so ... connection
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
Darhazer
DevNet Resident
Posts: 1011
Joined: Thu May 14, 2009 3:00 pm
Location: HellCity, Bulgaria

Re: A few security questions

Post by Darhazer »

For the first one, it's OK to be in a PHP file, but it's best if the file is outside your document root, so the file won't be downloaded even if server is misconfigured. Additionally, make sure that the file is not readable by anyone (e.g. permission is not 666), but only by the owner and it's group, if needed.

For the login, you have to use https
Post Reply