kmd 4
New Member
Hi
I make simple script and ive made admin panel. Login and password are in config.php file. Im using form to log in. And my question is: Is security of this code high or low or medium? :)
In config.php i have sth like this:
[PHP]$login = 'admin'; // Login to admin panel (change it)
$password = sha1(md5('test' )); // Admin password (change it)[/PHP]
And in other file (using to log in):
[PHP]if (($login == $_POST["login"]) && ($password == sha1(md5($_POST["password"])))) {
$_SESSION['admin']='true';[/PHP]
Is it save or not? Firstly i had no-hashed password in config.php and i could easly use include to read it.
now of course i can use include and echo $password but i will only see hashed password.
6 1582
When you store the password in the config file, make sure you store it in a hashed format and not as you showed. Because your way, anyone who can reach config.php know the password.
Another thing is to test the strength of a password. TEST is a very weak password and can be guessed easily.
Then, if you also store the config.php outside the document root, you are moderately safe.
Ronald
Markus 6,050
Recognized Expert Expert
Hi
I make simple script and ive made admin panel. Login and password are in config.php file. Im using form to log in. And my question is: Is security of this code high or low or medium? :)
In config.php i have sth like this:
[PHP]$login = 'admin'; // Login to admin panel (change it)
$password = sha1(md5('test' )); // Admin password (change it)[/PHP]
And in other file (using to log in):
[PHP]if (($login == $_POST["login"]) && ($password == sha1(md5($_POST["password"])))) {
$_SESSION['admin']='true';[/PHP]
Is it save or not? Firstly i had no-hashed password in config.php and i could easly use include to read it.
now of course i can use include and echo $password but i will only see hashed password.
As i always say, using a database makes things so much easier!
Regards, markus.
kmd 4
New Member
Yes your right.
But im the only one user, so in my opinion using database is making everything more diffcult. I have to create tables, than file to register user, and than i have to keep one user in one table in database. Its like wasting database space :) And now im looking for some save method to make admin panel based on config.php file. If i will not find any, i will add user registration to my script :)
Database or not, that is trivial (in this case). But you are most vulnerable by these 2 statements[php]$login = 'admin'; // Login to admin panel (change it)
$password = sha1(md5('test' )); // Admin password (change it)[/php]Here your userid and password are for grabs (so to speak).
So hash/encode these values and store them in your config file in a hashed string.
Ronald
kmd 4
New Member
Ok
thx very much. Its really usefull. Now i know what i have to do to imncrease security.
But i have one more question.
Why in many popular scripts (blogs, CMSs) informations for database (like host, password, database name, and username) are in config.php and they are not hashed?
Does it mean, that they are not save? Couse if login and passowrd in my case are for grab so data for database conect is up for grab also, isn it?
Usually you are either protecting the config folder using .htaccess or in a folder that is outside the document root.
Ronald
Sign in to post your reply or Sign up for a free account.
Similar topics |
by: John Victor |
last post by:
In my mysql database, I've stored all the passwords using the PASSWORD()
function. Now I'm running a test and need to compare the password in my php
document to that saved in the database. I used the string
"Select name From users Where password = PASSWORD('$testPass')"
and ran mysql_query() using the string. But nothing was returned. So I
decided to run a test and try to change a password from my php page using
the string
|
by: arktikturtle |
last post by:
Hi! I'm looking for a way to validate a password within PL/SQL. I want to
write
CREATE PROCEDURE change_password(old_password IN VARCHAR2)
IS
BEGIN
-- check if old_password is correct... but how?
I can get the hashed value of the password from DBA_USERS, of course, but is
there a way to hash old_password to see if it matches? (I wouldn't be
|
by: Max |
last post by:
Hello all,
I am trying to protect a page within my site with a JS password
scheme.
Now I know JS can be quite easily "circumvented", but I came by a code
below.
My question is:
1. Is there a way to find a password for this script? How easily?
2. Is there a stronger scheme available in JS?
|
by: chuy |
last post by:
Is there a way to recover a lost password in Mysql 4.1. I have seen many
articles and howto's on how to kill the Mysql process and then restart using
skip grant tables option. I am not trying to reset the password but rather
recover it. Resetting the password to something else would cause a problem
some of the underlying programs that rely on MySQL. I don't feel like
changing code for every application that is using MySQL in my site.
...
|
by: Guadala Harry |
last post by:
Looking for recommendations for *credible* information on implementing
password hashing and salting. I did my own search and came up with a bunch
of somewhat contradictory often "shooting-from-the-hip" and
advertisement-laden pages... looking for something more academic with an
objective treatment of the topic.
Thanks!
| |
by: solomon_13000 |
last post by:
I am using ms access database and asp 3.0 as my front end. In my
database there is a table called account and a field called password.
How do I protect the password stored in the database.
|
by: neokosmos |
last post by:
This may only be tangentially related to Python, but since I am coding
a password authentication system in Python, I thought I would ask here.
In Linux (and presumably other *NIX systems that support it), when
shadow passwords are enabled, the actual password is not stored.
Instead an encrypted version is stored. Then, to authenticate the
password, the system re-encrypts the user's input to see if it matches
the stored, encrypted...
|
by: John |
last post by:
Hi
I am trying to set a new password using the following code;
Dim u As MembershipUser = Membership.GetUser(UserName)
Dim OldPassword As String
OldPassword = u.GetPassword
If u.ChangePassword(OldPassword, Password) Then
ChangePassword = True
|
by: cooltoriz |
last post by:
Hello there,
I just found that the compiled code won't hide the string variables so
that I can see them by opening the execuable using Notepad. I have
couple applications that have password hardcoded and I've been thinking
that the string varialbes are hidden in compiled code. I knew that the
VS.NET doesn't compile the source code into machine code. But I didn't
know that it will expose string variables in the compiled code. Here is
my...
|
by: =?Utf-8?B?Sm9l?= |
last post by:
I need to store a password for use later in my web app and
I would like to use FormsAuthentication.HashPasswordForStoringInConfigFile.
The question is, once it's hashed and stored, do I need to
unhash it to pass to windows for authentication? Or can
I set something in Web.Config that will do that?
I haven't found any documentation that points me to what to do
next.
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
| |
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |