Everybody! This is important. In a few days, these forums will be moving over to using the totally sweet Discourse platform. To ensure this migration happens smoothly with no loss of content, these forums are currently in a read-only mode. I do apologize for the inconvenience.

There is never a good time to turn the forums off for an extended period of time, but I promise the new forums will be a billion times better. I'm pretty sure of it.

See you all on the other side in a few days, and if you have any (non-technical) questions, please e-mail me at kirupa@kirupa.com. For technical questions, try to find a tutorial that corresponds to what you are looking for and post in the comments section of that page.

Cheers,
Kirupa

Results 1 to 8 of 8

Thread: [php] Password

  1. #1

    [php] Password

    Is this password form secure? If not, what do I need to check for?
    PHP Code:
    <?php
        
    function secCode()
        {
            include_once(
    "constants.php");
            
            
    // obtain the password the user has entered
            
    $password $_POST['password'];
            
            
    // warn for incorrect password
            
    if(($password != "321498762") && (strlen($password) > 0))
                
    $wrongPW "<br /><font color=\"$WARN\">Wrong password.</font>";
            
            
    // ask for password
            
    if($password != "321498762")
            {
                echo(
    "
                    <form name=\"form\" method=\"post\" action=\"index.php?sec=admin\">
                        <p>
                            Password: 
                            <input name=\"password\" value=\"
    $password\" type=\"password\" size=\"15\" maxlength=\"15\" /> 
                            <input type=\"submit\" name=\"Submit\" value=\"Submit\" />
                        </p>
                        
    $wrongPW
                    </form>    
                "
    );
            }
            
            
    // correct password has been entered
            
    else
            {
                echo(
    success);
            }
        }
    ?>

  2. #2
    man, that's ugly. you should really try using concatenation with single quotes instead of double quotes. it prevents you from needing all those escape characters and is faster as well.

    anyway, why are you storing your password in the file? you should store it externally in a non-public location (preferably a mysql db). also, you shouldn't store the password itself but the md5 hash value of the password. then compare md5($_POST['password']) to the md5 of your password.

    also, you should be checking for positive matches to verify authentication. not the other way around.

  3. #3
    By single quotes, do you mean this?
    PHP Code:
    echo("<table width='5' height='6'></table>"); 
    I don't understand your "other way around" logic. Isn't !TRUE == FALSE and !FALSE == TRUE. So what's the dealio, yo?
    Last edited by NeoDreamer; January 30th, 2007 at 03:35 PM.

  4. #4
    by single quotes, i mean this:
    PHP Code:
    // fast clean
    echo 'here is my image: <img src="'.$imgURL.'" />';
    echo 
    'more text';

    // slow and ugly
    echo "here is my image: <img src=\"$imgURL\" />"
    i actually wrote about it in this blog post.

    anyway, i think the way you have the logic coded just makes it confusing. i think it's better to say, "does this password match? if no, then login failed." rather than, "does this password not match? if no, then login successful."

  5. #5

    meh

    Meh ,
    i think its crap.

    first of all functions are to put something in it, and also to not return output in the function
    rather return a var or array or a boolean

    so better would be:

    Code:
     
    function LoginForm()
    {
    $form = '';
    $form = '<form ...etc';
     
    return $form;
    }
     
    function LoginCheck($_PostArray)
    {
    return ($_PostArray['value'] == "password") ? true : false;
     
    /*
    // or more adv
    $errors = array();
    if ($_PostArray['value'] != "password")
    {
    $errors[]="password dont match";
    }
    // add more 
     
    if (isset($errors) && count($errors) > 0 )
    {
    return $errors;
    }else{
    return true;
    }
    */
    }
     
     
     
    if ($_SERVER['REQUEST_METHOD'] == 'POST')
    {
    if (LoginCheck($_POST) === TRUE)
    {
    // valid
    }else{
    // not valid
    }
    }else{
    // show form
    echo LoginForm();
    }
    Last edited by kenisfam; January 30th, 2007 at 04:23 PM.

  6. #6

  7. #7
    So is there any way for them to obtain the password if I keep it inside the PHP file?

  8. #8
    sure. for instance if you have an upload form somewhere else and don't protect against .php file uploads. so someone uploads a php file (which has code to display the PHP code from your password page), goes to that address, and like magic there's your code in full view with password and all.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Home About kirupa.com Meet the Moderators Advertise

 Link to Us

 Credits

Copyright 1999 - 2012