471,337 Members | 986 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,337 software developers and data experts.

Protecting Passwords -- Encryption needed?

I write a simple php script where I can post news to my website. There
is an html page (makenews.html) that has forms for username (in this
example it is 'admin'), password (in this example it is 'admin'),
subject line and message body. Once I fill out the information and
click submit, the html page sends the info to makenews.php. This
script starts out with:

<?php
if ($_POST["username"] == "admin" && $_POST["password"] == "admin"){
//do all of the news posting stuff here
}
else
//some warning/error message is echoed
?>

So my question: This php script is going to be containing my unique
username and password once I decide if it is safe or not. Is it? I
put it up for a minute and tried to download the actual php file but
every time I just got a file containing my error message echo. But I
still dont feel very safe having my password in plain text like that.
What should I do about this?

And if you guys don't mind I have another simple question that I dont
feel deserves its own topic. In relation to this...
I have the following code in makenews.html
Enter Body:<br><textarea name="body" cols=30 rows=10></textarea>
Which works fine except that any new lines that are entered in this
text area are omitted in $_POST["body"]. If I physically type a <p> or
<br> tag into the textarea it gets properly interpreted but I know
there has to be another way. For example as i'm typing right now, I
could hit enter a few times and it will be recorded and transferred
into my topic. What are the escape characters for a new line in a php
string and what can I do about this?

Thanks in advance for all the help -- you guys (and gals) are great
Cheers,
-Rob

Oct 11 '05 #1
3 1593
I forgot to mention that I have searched far and wide for solutions to
both problems. I'm asking you all as a last resort -- if you have any
links with further info please do share. I'm more than happy to learn
about it on my own but I simply couldn't find a possible solution. Any
password/encrytption stuff I searched for seemed to want to talk about
mySQL which I have no idea what is (some sort of database?) -- or if I
would even want to get involved in another huge task.

Cheers,
Rob

Oct 11 '05 #2
NC
Robizzle wrote:

I write a simple php script where I can post news to my website. There
is an html page (makenews.html) that has forms for username (in this
example it is 'admin'), password (in this example it is 'admin'),
subject line and message body. Once I fill out the information and
click submit, the html page sends the info to makenews.php. This
script starts out with:

<?php
if ($_POST["username"] == "admin" && $_POST["password"] == "admin"){
//do all of the news posting stuff here
}
else
//some warning/error message is echoed
?>

So my question: This php script is going to be containing my unique
username and password once I decide if it is safe or not. Is it?


There are really two independent questions here:

1. Can the user name and password hard-coded into a PHP script be
read by other users of your server (including administrators)?

The answser: ON A PROPERLY CONFIGURED SERVER, no. But you
cannot be sure of the proper configutation on a Web hosting
company's server. Hence, a simple recommendation:

if ($_POST["username"] == 'admin' and
md5($_POST["password"]) == '21232f297a57a5a743894a0e4a801fc3'){
//do all of the news posting stuff here
} else {
//some warning/error message is echoed
}

The string 21232f297a57a5a743894a0e4a801fc3, as you can guess,
is the MD5 hash of the word "admin". So even if the Web hosting
company'a administrators can take a peek at your files, all they
would see is a hash of the password, not the actual password.

2. Can the data I put into a form (including user name and password)
be intercepted in transit?

Theoretically, yes. How often it actually occurs is anyone's
guess. The protection here is to transmit data over secure
HTTP (https://), but that requires availability of SSL on the
server. In practice, this is often believed to be redundant
for simple content management applications; the cost of
security measures seems to exceed probable losses from absense
of security...

Cheers,
NC

Oct 11 '05 #3
Robizzle wrote:

<snip>
NC answered your first question well, so no reason for me to suggest the
same thing here.
And if you guys don't mind I have another simple question that I dont
feel deserves its own topic. In relation to this...
I have the following code in makenews.html
Enter Body:<br><textarea name="body" cols=30 rows=10></textarea>
Which works fine except that any new lines that are entered in this
text area are omitted in $_POST["body"]. If I physically type a <p> or
<br> tag into the textarea it gets properly interpreted but I know
there has to be another way. For example as i'm typing right now, I
could hit enter a few times and it will be recorded and transferred
into my topic. What are the escape characters for a new line in a php
string and what can I do about this?


For the text that is posted from the textarea, the newline characters
are submitted. Your problem is that you simply echo the result. The
thing to remember is that a textarea field acts just like plain text.
When it is rendered in the browser, the whitespace like new lines are
replaced with a single space. Try using nlbr($_POST['body']) which will
add <br /> tags with your newline characters for a (more) proper HTML
display.

--
Justin Koivisto, ZCE - ju****@koivi.com
http://koivi.com
Oct 11 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

2 posts views Thread by Fred Emmott | last post: by
3 posts views Thread by John Buchmann | last post: by
reply views Thread by Milos Prudek | last post: by
1 post views Thread by Tom | last post: by
3 posts views Thread by Jeremy Deuel | last post: by
reply views Thread by scoomey | last post: by
19 posts views Thread by Cord-Heinrich Pahlmann | last post: by
2 posts views Thread by Jeff Williams | last post: by
reply views Thread by rosydwin | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.