Page 1 of 1

Password above HTML Secure?

Posted: Tue Mar 16, 2010 6:15 am
by phluxm
I'm just getting to grips with PHP and wondered how safe the code parsed on the server is.

I have tried creating a basic password login with login form - the data of which is checked above the HTML tag.

Is this secure?


Code below:

if ($user == "username" and $pass == "password") {

} else {

exit();
}

Re: Password above HTML Secure?

Posted: Tue Mar 16, 2010 8:41 am
by timWebUK
In a word, no.

Generally passwords are not hardcoded into PHP but stored securely within a database. (Using hashing, etc)

But in answer to your initial question, because PHP is server-side, the code is executed before the browser sees it, so no one would be able to see your source code unless they had access to your server.

But it's hard to comment on your code because all it is, is an IF statement... hard to state whether that is 'secure' or not!

Re: Password above HTML Secure?

Posted: Tue Mar 16, 2010 10:41 am
by phluxm
Thanks for your help timWebUK!

If I held the password and code in a MySQL database would it be secure? Is that the 'usual' secure way of storing passwords etc.?

Also - If I held the password in a page saved above the websites public root folder (htdocs / public_html etc..) does this protect it more securely?

I suppose my question was : "How secure is server side php?" - ie, should I worry about it being hacked / manipulated - especially if it includes passwords or other important data/scripts?

Re: Password above HTML Secure?

Posted: Tue Mar 16, 2010 11:17 am
by timWebUK
Ensure your FTP password is secure (10 or more characters, alphanumeric and symbols). Do the same with your MySQL database. Share these with no one, and do not store them anywhere online accessible through the website.

It is important sensitive information such as passwords are hashed before being stored - preferably with a salt.

This thread should answer all your questions:

viewtopic.php?t=95337