Noob ?s: plain text pass and other security principles

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
djsh823
Forum Newbie
Posts: 5
Joined: Sun Jan 23, 2011 12:15 pm

Noob ?s: plain text pass and other security principles

Post by djsh823 »

Hello,

1) If there is a SHORT document that provides answers to these basic intro questions feel free to point me there, I am very much a PHP beginner.

2) If I have a php file that allows POST data to be sent to another file that has a password that access a database, wouldn't someone simply be able to read the source, find out what action php file it is and manually read this file's source from the browser (including my password)? What stops people from doing things like that? Putting the file out of the webroot? the permissions on the file? hashing the password?

3) Is there an easy way to hash plain text passwords so that they are not visible to text readers?

Thanks you!
jack
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Noob ?s: plain text pass and other security principles

Post by social_experiment »

djsh823 wrote:I am very much a PHP beginner.
Have a look at w3schools.com.
djsh823 wrote:If I have a php file that allows POST data to be sent to another file that has a password that access a database, wouldn't someone simply be able to read the source, find out what action php file it is and manually read this file's source from the browser (including my password)? What stops people from doing things like that? Putting the file out of the webroot? the permissions on the file? hashing the password?
If the server you are using is correctly configured, files with the extension .php will be treated as a php document and no php code will be visible (even if you view the source of the page). I don't know if someone can view your password like that though (while you are busy at the terminal), it's more likely to be intercepted somewhere down the line, between you and the server.
djsh823 wrote:Is there an easy way to hash plain text passwords so that they are not visible to text readers?
To 'hash' the values (assuming this is still inline with your previous question) you would probably use javascript to hash before the values are sent to the server. Google HTTPS as well.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
djsh823
Forum Newbie
Posts: 5
Joined: Sun Jan 23, 2011 12:15 pm

Re: Noob ?s: plain text pass and other security principles

Post by djsh823 »

Thank you very much for your reply. As regards to the hash I was referring to maybe a function that would allow me to not put the the password to my database in a plain text file. Maybe just store the hash. Run an MD5 over it or something and just store that? I'm really don't know. I do know that if you browse a mysql database you can't see the passwords, you only see the hashes, I was wondering if something similar could happen in a .php file.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Noob ?s: plain text pass and other security principles

Post by social_experiment »

Yes there is something like that, hash(), it would be used as follows hash($algorithm, $data)
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
Zyxist
Forum Contributor
Posts: 104
Joined: Sun Jan 14, 2007 10:44 am
Location: Cracow, Poland

Re: Noob ?s: plain text pass and other security principles

Post by Zyxist »

Actually, a simply client-side hashing provides only a false security. What's the difference between capturing the plain-text password and capturing the hashed version? If you want to use it to log in the other person account, you simply send this captured hash instead of the password in a fake login request, and the system won't notice the difference. Some unique per-request token is the absolute minimum, but it won't protect us in all the cases, too.

Simply use SSL - this is the technology designed for the secure data transmissions. I doubt that you can beat the professional cryptography scientists with home-made ideas.
djsh823
Forum Newbie
Posts: 5
Joined: Sun Jan 23, 2011 12:15 pm

Re: Noob ?s: plain text pass and other security principles

Post by djsh823 »

I don't think you understand. I am not worried about the capture (I agree ssl would be a must) so much as having my password in plain-text and having someone view the file by simple web access (though this point may be moot with the above no-viewing-of-php-source discussion). How is it different? Simple. With plain text, the intruder has my password, can try it on other websties, banks, etc. You can't input a password hash into a B of A login page.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Noob ?s: plain text pass and other security principles

Post by social_experiment »

Zyxist wrote:Actually, a simply client-side hashing provides only a false security.
@djsh823 : I think the poster is refering to a hash using javascript, in your form, incase someone can view your source (still don't know if that's possible).
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
djsh823
Forum Newbie
Posts: 5
Joined: Sun Jan 23, 2011 12:15 pm

Re: Noob ?s: plain text pass and other security principles

Post by djsh823 »

Yes. I'm not so concerned about that. I'm worried about this:

http://www.google.com/search?sourceid=c ... 9ac13308b3

If it wasn't a problem, it probably wouldn't be talked about as much.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Noob ?s: plain text pass and other security principles

Post by social_experiment »

Ok, i understand what you have in mind.
Read this url if you haven't already
http://stackoverflow.com/questions/5686 ... p-constant

Honestly i haven't thought about it because i (mistakenly) always assume my hosting provider will be on top of this (keeping the server 'healthy'). Error on my part.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Post Reply