Page 1 of 1

A few security questions

Posted: Thu Dec 30, 2010 7:10 pm
by zxkelxz
Back again with some security questions:

1. I've hard coded my MySQL login into my .PHP file. Is this secure? Are users unable to download .PHP file from the server they are located on so not to view the information?

2. Using an html form for the user to login. However I use $_POST to retrieve the information on the next page is there a way to MD5 hash the password sent to the next page or is it safe to keep it the way it is?

Thanks in advance guys and girls, you have been a big help so far.

Re: A few security questions

Posted: Thu Dec 30, 2010 7:22 pm
by phphelpme
answer 1.

yes, this is perfectly normal and when you view the code of a page you only see html and not php. So if you are assigning your database login values to string variables then call them then thats fine.

answer 2.
if your user is typing there username and password in to the form, if they get it wrong then they only see what they type, and if they have the correct details then there in anyway but using the POST and GET functions are very normal so you are ok anyway.

When converting to md5 hash you can not revert it back, but if you convert it to md5 at the user account creation stage then save the md5 hash to the database, then when the user types in the details, you convert again to md5 hash before cross checking with your database then that would work just fine.

Hope this helps.

Re: A few security questions

Posted: Thu Dec 30, 2010 7:30 pm
by social_experiment
zxkelxz wrote:2. Using an html form for the user to login. However I use $_POST to retrieve the information on the next page is there a way to MD5 hash the password sent to the next page or is it safe to keep it the way it is?
You can look into using Javascript to hash the values so that viewing the source reveals only a hashed value instead of the plain text one. Because PHP is server-side scripting, you will still send a plaintext password to the server before it is modified by MD5. Look into SSL, it is a secure connection and more information can be found here : http://www.google.co.za/search?hl=af&so ... connection

Re: A few security questions

Posted: Fri Dec 31, 2010 5:06 am
by Darhazer
For the first one, it's OK to be in a PHP file, but it's best if the file is outside your document root, so the file won't be downloaded even if server is misconfigured. Additionally, make sure that the file is not readable by anyone (e.g. permission is not 666), but only by the owner and it's group, if needed.

For the login, you have to use https