Password above HTML Secure?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
phluxm
Forum Newbie
Posts: 2
Joined: Tue Mar 16, 2010 6:07 am

Password above HTML Secure?

Post by phluxm »

I'm just getting to grips with PHP and wondered how safe the code parsed on the server is.

I have tried creating a basic password login with login form - the data of which is checked above the HTML tag.

Is this secure?


Code below:

if ($user == "username" and $pass == "password") {

} else {

exit();
}
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: Password above HTML Secure?

Post by timWebUK »

In a word, no.

Generally passwords are not hardcoded into PHP but stored securely within a database. (Using hashing, etc)

But in answer to your initial question, because PHP is server-side, the code is executed before the browser sees it, so no one would be able to see your source code unless they had access to your server.

But it's hard to comment on your code because all it is, is an IF statement... hard to state whether that is 'secure' or not!
phluxm
Forum Newbie
Posts: 2
Joined: Tue Mar 16, 2010 6:07 am

Re: Password above HTML Secure?

Post by phluxm »

Thanks for your help timWebUK!

If I held the password and code in a MySQL database would it be secure? Is that the 'usual' secure way of storing passwords etc.?

Also - If I held the password in a page saved above the websites public root folder (htdocs / public_html etc..) does this protect it more securely?

I suppose my question was : "How secure is server side php?" - ie, should I worry about it being hacked / manipulated - especially if it includes passwords or other important data/scripts?
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: Password above HTML Secure?

Post by timWebUK »

Ensure your FTP password is secure (10 or more characters, alphanumeric and symbols). Do the same with your MySQL database. Share these with no one, and do not store them anywhere online accessible through the website.

It is important sensitive information such as passwords are hashed before being stored - preferably with a salt.

This thread should answer all your questions:

viewtopic.php?t=95337
Post Reply