Page 1 of 1
Password protection without mysql
Posted: Tue Aug 26, 2008 4:15 am
by JKM
Hi there!
I'm making a form where I wan't a password at the end, and I've heard that 'if($_POST['password'] == password123) {' isn't safe enough. So could anyone could give me or explain how I make a safe password script (where the password isn't saved in a mysql db).
Re: Password protection without mysql
Posted: Tue Aug 26, 2008 4:44 am
by Ziq
One of the best ways - not to store the password in an open kind. For example:
1. Create hash function
Code: Select all
<?
function hash_password($password)
{
// simple
return strrev(md5($password));
}
?>
2. Save this password (db, file, etc)
3. Compare password's hash
Code: Select all
//...
if ($saved_password == hash($_POST['password']))
{
//...
}
//...
Re: Password protection without mysql
Posted: Tue Aug 26, 2008 9:14 am
by JKM
Hmm, I don't get it completely. Where should I define $password and $saved_password?
Re: Password protection without mysql
Posted: Tue Aug 26, 2008 9:19 am
by dajawu
The way Zig has it above, if you want to save the password in your script you must first run the hash_function on it. Then save the resulting password in your script. At least this way if someone does see it they can not reverse it back to the original password. They would have to run a brute force to figure it out.
Re: Password protection without mysql
Posted: Tue Aug 26, 2008 9:59 am
by Ziq
JKM wrote:Hmm, I don't get it completely. Where should I define $password and $saved_password?
First
Code: Select all
$saved_password = hash_password('your_real_password');
// This variable you must save! It's something like bbb16a4aeed73e63a96b51eef003ecfc
// It is not important to store the password where exactly. Maybe file, db, source code, etc.
// But your_real_password never save.
Then
Code: Select all
// Extract your hash password
$saved_password = extract(); // bbb16a4aeed73e63a96b51eef003ecfc
// Function extract() return password saved early in (file, db, source code, etc.)
if ($saved_password == hash_password($_POST['password']))
{
// authenticated user
}