text files vs db file

Anon

I know db file would be the way to go but for some weird reason my web server guys don't having database stuff. nothing.

But I'm creating a site that people will need to log into. instead of one big file, db would be alright for this, I thought I'd have a text file for every persons username and in it would be the password and all their preferences.

is this a good idea for not having a db or should I harass my web server guys.

So instead of a 1 MB text file that gets opened everytime someone logs in. I'd have 100 10KB files. So only a 10KB file would be opened per log in and visit.

Anon

As far as I can see, wouldn't this be REALLY insecure?
Just having the text files floating about.

A better method I would think would be cookies, or you can read the passwords from a mysql db, or if this is what your server doesn't like use the slightly less secure method of putting them in the PHP...

<?php
if ($username == "user") + ($pass == "pass") {$login = "1"};
elseif ($username == "user2") + ($pass == "pass2") {$login = "1"};
else {$login = "0"};

if ($login == "1") { whatever! };
elseif ($login == "0") { whatever! };

else die

<FORM ACTION="<?php echo($PHP_SELF); ?>" METHOD=POST>

<table border="0" cellspacing="0" cellborder="0">
<TR><TD">Admin Name</TD><TD><INPUT TYPE="text" NAME="user" SIZE="10" MAXLENGTH="10"></TD></TR>

<TR><TD bgcolor="ff05a47">Admin Password</TD><TD><INPUT TYPE="password" NAME="pass" SIZE="10" MAXLENGTH="10"></TD></TR>
</table>

Hope that helps somewhat.

Anon

Actually, I think Chris is on the right track (although I would really recommend finding a better Web hosting company). If you must store data in text files, separate files for each user will be significantly faster than a single file and, since an individual file can be locked for read/write, it will let you avoid problems when two users want to register or update their personal info simultaneously.

As for security: Ideally you should place the data files outside of DOCROOT, and you might want to store an md5 hash of the user's password rather than the password itself.

Anon

I would second all your recommendations, but the thing about passwords should be put more strongly. Rather than "might want to" store the md5 hash of the password instead of the plain text, it's really a case of absolutely should use md5 or something stronger unless you have some extraordinarily compelling reason not to.

Also, while the file-based system would be ok with 100 users, keep in mind that having thousands of files in a single directory is not a good idea due to directory search time. So if scalability is an issue, you might start with directory-based system to spread the files around a bit--instead of putting all the user files in a single directory, create directories based on the first letter of the userid--this will divide the load into 26 (or more) different directories.

Anon

Alright. What is md5 hash?

I like the idea of 26 dirs.
And I was planning on changing the mode of the files to no public access at all. And giving the group read and write.