Cheers, I'll give your suggestions a go.
Jochem Maas wrote:
YaronKh@xxxxxxxxxxxxx wrote:
Hi Rory
You can use crypt to encode a password, let say you want the password to be "my password", create a new php file :
echo crypt("my password");
then you get a unique encoded string something like 'ABC12Fdfi654sdfkfpr67UPL'
copy it and delete the php file
in your password validation file write : $enc_pass = 'ABC12Fdfi654sdfkfpr67UPL';
if (@crypt($_POST['pass'], $enc_pass) == $enc_pass) /* password is o.k. */
I use the same technique to provide a 'superuser' login to intranets/cms -
a login which nobody can change/break (+ it works even if lots of stuff is broken because it
only relies on a hardcoded string).
personally I use sha1() iso of crypt() - no idea which is better.
that said you still don't want this file or this string to get into the hands of evilhaxors
- best to keep this file (one with the encrypted pwd in it) outside of the docroot.
Now even if someone will see the php script he won't knew your password
Hope I've helped yaron
-----Original Message-----
From: rory walsh [mailto:rorywalsh@xxxxxx] Sent: Sunday, March 06, 2005 1:35 PM
To: php-general@xxxxxxxxxxxxx
Subject: Passwords?
I want to create a simple as possible password script, how secure is it to have the password actually appear in the script? I only need one password so I thought that this would be more straightforward than having a file which contains the password. I am not using any database. Actually this leads me to another question, is there anyway people can view your script without having access to your server that is? Cheers,
Rory.
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php