|
|
Posted by Rory Walsh on 03/06/05 15:41
Cheers, I'll give your suggestions a go.
Jochem Maas wrote:
> YaronKh@clalit.org.il wrote:
>
>> Hi Rory
>> You can use crypt to encode a password, let say you want the
>> password to be "my password", create a new php file :
>> echo crypt("my password");
>>
>> then you get a unique encoded string something like
>> 'ABC12Fdfi654sdfkfpr67UPL'
>> copy it and delete the php file
>>
>> in your password validation file write :
>> $enc_pass = 'ABC12Fdfi654sdfkfpr67UPL';
>>
>> if (@crypt($_POST['pass'], $enc_pass) == $enc_pass)
>> /* password is o.k. */
>>
>
> I use the same technique to provide a 'superuser' login to intranets/cms -
> a login which nobody can change/break (+ it works even if lots of stuff
> is broken because it
> only relies on a hardcoded string).
>
> personally I use sha1() iso of crypt() - no idea which is better.
>
> that said you still don't want this file or this string to get into the
> hands of evilhaxors
> - best to keep this file (one with the encrypted pwd in it) outside of
> the docroot.
>
>>
>>
>> Now even if someone will see the php script he won't knew your password
>>
>>
>> Hope I've helped
>> yaron
>>
>> -----Original Message-----
>> From: rory walsh [mailto:rorywalsh@ear.ie] Sent: Sunday, March 06,
>> 2005 1:35 PM
>> To: php-general@lists.php.net
>> Subject: [PHP] Passwords?
>>
>> I want to create a simple as possible password script, how secure is
>> it to have the password actually appear in the script? I only need one
>> password so I thought that this would be more straightforward than
>> having a file which contains the password. I am not using any
>> database. Actually this leads me to another question, is there anyway
>> people can view your script without having access to your server that
>> is? Cheers,
>> Rory.
>>
Navigation:
[Reply to this message]
|