Part one
Is it safe to store password-variables in a file called config.php and then require() or include() it to another file? Can other people include or require it from a different location using http://w...config.php and then echo out the password variable? Or can it only be required/included with a relative path? Are there other ways to reveal the password?

Part two

I'm using the password with an if/else statement to protect a few pages. First page (log in) has this structure:

<?php
require "../common/config.php";

if ($pw == $adminpw) {

// HTML to display since the given password == the one give in the config.php file.

} else {

// HTML-form where user can enter the password

}
?>

The rest of the protected pages looks like this:

<?php
if ($pw != $adminpw) {

die("Incorrect or missing pw...");

} else {

// HTML to display since the given password == the one give in the config.php file.

}
?>

Is this whole thing safe or are there ways to get the password or bypass the protection?

    Answers:

    Part 1)
    Its safe... provided the file you are including has php tags... eg..

    <?
$password="myPassword";
?>

    That file will be parsed before it even leaves the webserver.... the only security issue i found.. is that an advanced coder could obtain the php file using php processed be the php.exe on the same server.... Most servers wont allow you to see other directories than your own but certain ones like Freeola do and it is unwise in this case.

    Part 2)
    The code shouldn't be able to be bypassed... however IF register_globals is set to on then there MAY be a security issue... ie... someone could type the url

    http://www.site.com/index.php?pw=myPassword&adminpw=myPassword

    This would cause the statement

    if ($pw == $adminpw) {

    to be true and grant access. However.. the require() should ensure that your $adminpw is set to YOUR password and not the one in the URL.. so you should be ok. It would even be ok to set the passwords at the top of your php script.. not even in a seperate file.

    Thanks
    Jonny

      Ok, great. Thanks for quick response! 🙂

        If you need any more help with PHP i will be happy to help you on MSN if you have it. My MSN Address is option@blueyonder.co.uk

        Add me if you require.

        Thanks
        Jonny

          Write a Reply...