Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
If I use a challenge/response to encrypt the log in data and prevent it from being sniffed, is this pretty secure?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
I would be more worried about your storage scheme for users and passwords.
How come?
The site in question does not have a database of users. Instead it just relies on a few administrators to perform tasks every so often, or check content.
There are 3 administrators, so I figure a user:pass txt file would be easiest to implement.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Easy to implement sure, but unless you are reliably sure that no one can get to that file (outside the document root isn't good enough alone) then you are okay overall. However I would suggest hashing the entire piece of information regarding their user and password combination.
Or maybe it is an idea to place the file inside the document root with a php extension like: administrators.txt.php
Nobody from a web browser can see what is inside the script.
Attacks from the web-wise, you should be in the clear. If it's a multi-user system, though, it may be exposed to the outside (permissions tomfoolery and such). But the risk is very slight, and there's not much they can do with salted md5s.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
With a fixed salt, there is the danger of detecting when several users have the same password. Then, there's good money that it is in a short dictionary (100-500 most common passwords) which can easily be tried with an online attack.