Posted by Jochem Maas on 03/06/05 15:23

YaronKh@clalit.org.il wrote:
> Hi Rory
> You can use crypt to encode a password, let say you want the password to be "my password", create a new php file :
> echo crypt("my password");
>
> then you get a unique encoded string something like 'ABC12Fdfi654sdfkfpr67UPL'
> copy it and delete the php file
>
>
> in your password validation file write :
>
> $enc_pass = 'ABC12Fdfi654sdfkfpr67UPL';
>
> if (@crypt($_POST['pass'], $enc_pass) == $enc_pass)
> /* password is o.k. */
>

I use the same technique to provide a 'superuser' login to intranets/cms -
a login which nobody can change/break (+ it works even if lots of stuff is broken because it
only relies on a hardcoded string).

personally I use sha1() iso of crypt() - no idea which is better.

that said you still don't want this file or this string to get into the hands of evilhaxors
- best to keep this file (one with the encrypted pwd in it) outside of the docroot.

>
>
> Now even if someone will see the php script he won't knew your password
>
>
> Hope I've helped
> yaron
>
> -----Original Message-----
> From: rory walsh [mailto:rorywalsh@ear.ie]
> Sent: Sunday, March 06, 2005 1:35 PM
> To: php-general@lists.php.net
> Subject: [PHP] Passwords?
>
> I want to create a simple as possible password script, how secure is it
> to have the password actually appear in the script? I only need one
> password so I thought that this would be more straightforward than
> having a file which contains the password. I am not using any database.
> Actually this leads me to another question, is there anyway people can
> view your script without having access to your server that is? Cheers,
> Rory.
>

[Back to original message]