On Sun, 06 Mar 2005 11:34:39 +0000, rory walsh <rorywalsh@xxxxxx> wrote: > I want to create a simple as possible password script, how secure is it > to have the password actually appear in the script? I only need one > password so I thought that this would be more straightforward than > having a file which contains the password. I am not using any database. > Actually this leads me to another question, is there anyway people can > view your script without having access to your server that is? Cheers, > Rory. > If the password is stored in between the <? and ?> tags, then it shouldn't get sent to the browser unless you specifically send it there. However, there are sometimes security problems in web servers, which would mean that attackers were able to see the source of your script, and therefore the password. For example: files called .php might get processed properly, but if the attacker requests filename.PHP, it might just send him the file in plain text. Best thing is to use 'include' or 'require' to get the password from another file which doesn't sit on a part of the filesystem that's accessible over the web. Or, you could password-protect the script you're including with .htpasswd / .htaccess protection. -- AdamT "Justify my text? I'm sorry, but it has no excuse." -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
