Hi there!
I'm making a form where I wan't a password at the end, and I've heard that 'if($_POST['password'] == password123) {' isn't safe enough. So could anyone could give me or explain how I make a safe password script (where the password isn't saved in a mysql db).
Password protection without mysql
Moderator: General Moderators
Re: Password protection without mysql
One of the best ways - not to store the password in an open kind. For example:
1. Create hash function
2. Save this password (db, file, etc)
3. Compare password's hash
1. Create hash function
Code: Select all
<?
function hash_password($password)
{
// simple
return strrev(md5($password));
}
?>
3. Compare password's hash
Code: Select all
//...
if ($saved_password == hash($_POST['password']))
{
//...
}
//...
Last edited by Ziq on Tue Aug 26, 2008 9:37 am, edited 1 time in total.
Re: Password protection without mysql
Hmm, I don't get it completely. Where should I define $password and $saved_password?
Re: Password protection without mysql
The way Zig has it above, if you want to save the password in your script you must first run the hash_function on it. Then save the resulting password in your script. At least this way if someone does see it they can not reverse it back to the original password. They would have to run a brute force to figure it out.
Re: Password protection without mysql
FirstJKM wrote:Hmm, I don't get it completely. Where should I define $password and $saved_password?
Code: Select all
$saved_password = hash_password('your_real_password');
// This variable you must save! It's something like bbb16a4aeed73e63a96b51eef003ecfc
// It is not important to store the password where exactly. Maybe file, db, source code, etc.
// But your_real_password never save.
Code: Select all
// Extract your hash password
$saved_password = extract(); // bbb16a4aeed73e63a96b51eef003ecfc
// Function extract() return password saved early in (file, db, source code, etc.)
if ($saved_password == hash_password($_POST['password']))
{
// authenticated user
}