Password protection without mysql

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
JKM
Forum Contributor
Posts: 221
Joined: Tue Jun 17, 2008 8:12 pm

Password protection without mysql

Post by JKM »

Hi there!

I'm making a form where I wan't a password at the end, and I've heard that 'if($_POST['password'] == password123) {' isn't safe enough. So could anyone could give me or explain how I make a safe password script (where the password isn't saved in a mysql db).
User avatar
Ziq
Forum Contributor
Posts: 194
Joined: Mon Aug 25, 2008 12:43 am
Location: Russia, Voronezh

Re: Password protection without mysql

Post by Ziq »

One of the best ways - not to store the password in an open kind. For example:
1. Create hash function

Code: Select all

 
<?
function hash_password($password)
{
    //  simple
    return strrev(md5($password));
}
?>
 
2. Save this password (db, file, etc)
3. Compare password's hash

Code: Select all

 
//...
if ($saved_password == hash($_POST['password']))
{
    //...
}
//...
 
Last edited by Ziq on Tue Aug 26, 2008 9:37 am, edited 1 time in total.
JKM
Forum Contributor
Posts: 221
Joined: Tue Jun 17, 2008 8:12 pm

Re: Password protection without mysql

Post by JKM »

Hmm, I don't get it completely. Where should I define $password and $saved_password?
dajawu
Forum Commoner
Posts: 59
Joined: Fri May 23, 2008 10:16 am

Re: Password protection without mysql

Post by dajawu »

The way Zig has it above, if you want to save the password in your script you must first run the hash_function on it. Then save the resulting password in your script. At least this way if someone does see it they can not reverse it back to the original password. They would have to run a brute force to figure it out.
User avatar
Ziq
Forum Contributor
Posts: 194
Joined: Mon Aug 25, 2008 12:43 am
Location: Russia, Voronezh

Re: Password protection without mysql

Post by Ziq »

JKM wrote:Hmm, I don't get it completely. Where should I define $password and $saved_password?
First

Code: Select all

 
$saved_password = hash_password('your_real_password');
//  This variable you must save! It's something like bbb16a4aeed73e63a96b51eef003ecfc
//  It is not important to store the password where exactly. Maybe file, db, source code, etc.
//  But your_real_password never save.
 
Then

Code: Select all

 
//  Extract your hash password
$saved_password = extract();  //  bbb16a4aeed73e63a96b51eef003ecfc
//  Function extract() return password saved early in (file, db, source code, etc.)
if ($saved_password == hash_password($_POST['password']))
{
    //  authenticated user
}
 
Post Reply