On Sun, 30 Jan 2005 18:49:41 -0800 (PST), "Richard Lynch" wrote: > > Raymond Still wrote: > > Hello; > > I'm trying to figure out the best (most secure and > most > > user friendly, security of primary importance) way to > > let a user log-in. > > I am setting up a web application (database > > application) that will be for private use only and I > > want to keep it secure. > > As I understand it, using the Apache htaccess method > is > > secure as there is essentially no communication > without > > a username and password, but it does lack a little in > > flexibility and presentation. > > On the other hand, PHP certainly has the edge on > > flexibility and presentation, but I have questions > > regarding it's security. If you look at the threads > > regarding connecting to databases, you often see a > > warning to the effect of: store your connection > > password etc, outside of the document path in case PHP > > fails and your file is displayed unprocessed. > > So my question is, how can you count on PHP to log > > somebody in, and prevent access to files when PHP may > > fail, or the user could just go into the directory > > structure and bypass security. > > You've smushed about 5 different security issues into > one giant ball of > snarled yarn. > > Your question is roughly allegorical to: > How can you call a deadbolt secure when the home-owner > could just leave > their ADT off and the back window unlocked? > > Now, for starters: > HTTP Authentication is not particularly secure over a > non-SSL connection > as the password is transmitted in plain-text. > > In fact, for *ANYTHING* where security matters for > logging in and out, use > SSL. > > After that, there's no real "win" to HTTP > authentication except for that > cool/annoying popup window. > > You've got a long way to go before you properly > understand all the > security issues you've jumbled together -- Took me > forever, too. :-) > > -- > Like Music? > http://l-i-e.com/artists.htm Hello; Your absolutly right and I freely admit it. I know just slightly more than zero about internet security. :) Can any one recomend some good resources so that I can learn? I'm not looking for "use this function" or "that program", but something that will help me to actually understand. TIA Ray -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
