Chris W. Parker wrote:
Jochem Maas <mailto:jochem@xxxxxxxxxxxxx>
on Sunday, March 06, 2005 5:24 AM said:
that said you still don't want this file or this string to get into
the hands of evilhaxors - best to keep this file (one with the
encrypted pwd in it) outside of the docroot.
Why encode it at all then?
If someone is smart/crafty enough to actually hack the server and gain
access to the file which contains the password you're trying to protect
is the least of your problems.
a, make it as hard as possible. do everything you can to make the hack harder.
b, a webmaster may have perms to admin the server but maybe should not have
access to the 'app' via its interface as a 'super user'
c, it allows you to send a hash of the password over the wire (rather than
not encrypting or encrypting the password on the server) and check that.
d, it sets the bar just high enough (for my clients at least) that nobody
will attempt to try and change the passwd. if it was plaintext then you could
just replace it, if its a hash then you have to generate a hash in order to
replace the 'super user' pwd.
but yes, if someone 'owns' you box then you have bigger problems :-)
Chris.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
