CraniumDesigns wrote:Ok. I am developing my first super major php driven community site and I need to make sure all login/pass info and anything else I want is secure and not readable, especially my inc files.
- Minimize the amount that has to be stored in .inc files
- Make your .inc files .inc.php files with a 'cannot access directly' header
- Use htaccess to prevent direct access of the .inc.php files
- Use good coding practices like defining variables and not trusting user input.
Those are good general approaches to ensuring general security and preventing direct access to your .inc files.
As to login/pass info, it can be more complex.
First and foremost, md5() the password against a time-based session stamp. By doing so, you remove the ability to sniff the password cleartext (its sent in md5 form), and you reduce the amount of time the attacker can do a replay attack to roughly 5-15 minutes (while the user is logging in).
If you also ensure that the session stamp clears upon login, then it will be virtually impossible to replay the login!
Of course if you really want HIGH security, you should use SSL, but a solid CHAP/md5 login sequence (as described above) should get you most of the security you'll need.
More information on CHAP logins (with example backend scripts in php) available here:
http://pajhome.org.uk/crypt/md5/chaplogin.html
More infomation on md5 passwords via javascript (again, with example scripts) available here:
http://pajhome.org.uk/crypt/md5/
That is the method Yahoo uses for sections that don't use SSL.