|
|
Posted by AdamT on 03/06/05 15:03
On Sun, 06 Mar 2005 11:34:39 +0000, rory walsh <rorywalsh@ear.ie> wrote:
> I want to create a simple as possible password script, how secure is it
> to have the password actually appear in the script? I only need one
> password so I thought that this would be more straightforward than
> having a file which contains the password. I am not using any database.
> Actually this leads me to another question, is there anyway people can
> view your script without having access to your server that is? Cheers,
> Rory.
>
If the password is stored in between the <? and ?> tags, then it
shouldn't get sent to the browser unless you specifically send it
there. However, there are sometimes security problems in web servers,
which would mean that attackers were able to see the source of your
script, and therefore the password. For example: files called .php
might get processed properly, but if the attacker requests
filename.PHP, it might just send him the file in plain text.
Best thing is to use 'include' or 'require' to get the password from
another file which doesn't sit on a part of the filesystem that's
accessible over the web. Or, you could password-protect the script
you're including with .htpasswd / .htaccess protection.
--
AdamT
"Justify my text? I'm sorry, but it has no excuse."
Navigation:
[Reply to this message]
|