Posted by NC on 10/11/05 05:26

Robizzle wrote:
>
> I write a simple php script where I can post news to my website. There
> is an html page (makenews.html) that has forms for username (in this
> example it is 'admin'), password (in this example it is 'admin'),
> subject line and message body. Once I fill out the information and
> click submit, the html page sends the info to makenews.php. This
> script starts out with:
>
> <?php
> if ($_POST["username"] == "admin" && $_POST["password"] == "admin"){
> //do all of the news posting stuff here
> }
> else
> //some warning/error message is echoed
> ?>
>
> So my question: This php script is going to be containing my unique
> username and password once I decide if it is safe or not. Is it?

There are really two independent questions here:

1. Can the user name and password hard-coded into a PHP script be
read by other users of your server (including administrators)?

The answser: ON A PROPERLY CONFIGURED SERVER, no. But you
cannot be sure of the proper configutation on a Web hosting
company's server. Hence, a simple recommendation:

if ($_POST["username"] == 'admin' and
md5($_POST["password"]) == '21232f297a57a5a743894a0e4a801fc3'){
//do all of the news posting stuff here
} else {
//some warning/error message is echoed
}

The string 21232f297a57a5a743894a0e4a801fc3, as you can guess,
is the MD5 hash of the word "admin". So even if the Web hosting
company'a administrators can take a peek at your files, all they
would see is a hash of the password, not the actual password.

2. Can the data I put into a form (including user name and password)
be intercepted in transit?

Theoretically, yes. How often it actually occurs is anyone's
guess. The protection here is to transmit data over secure
HTTP (https://), but that requires availability of SSL on the
server. In practice, this is often believed to be redundant
for simple content management applications; the cost of
security measures seems to exceed probable losses from absense
of security...

Cheers,
NC

[Back to original message]