password security

andy753421

For my site I need a plain text password stored on the server somewhere (cant do md5 because i need it to log into something else) and I want to have it stored somewhere where it can be easily changed, so having it build into the php script isn't very good.

What I'm doing now is having the password be stored in a file called password_file.php, which contains only.

<?php $password='password'; ?>

Then when I want to use the password in a script i just do include('password_file.php'); and use $password.

This seems to be working ok, but it doesnt seem very secure because other people have access to the same site in order to post messages and I'm afraid someone will be able to post a message and they could just have the message contain a php script to get the password from the password_file.php and the use it to do whatever they want.

Skull

if other people have access to the server, no matter what you do they could always look around and find it.

You'd have to put it in a certain folder that only you have access to, that way they won't know the filename of it, therefor would be unable to include it.

They could guess it, but from the information you've posted, thats the best help I can give right now

HTH

andy753421

ok, i cant actually get permission for the directory for only me (as in my user account on the server) and useing htaccess wouldnt do anything would it? Because if it's included from outside the server it will just include what the server sends back (and that would be nothing.)

So is there any way to make a post to a page that will be executed in php?

rehfeld

Originally posted by andy753421

So is there any way to make a post to a page that will be executed in php?

huh????

Skull

Could you post an example of what it is that you want it do, as you say that you're posting things places, but i'm not sure what you're posting and where your posting it

andy753421

well, it's like this form. I have a section where someone can type stuff into a form and then click submit and then the stuff they typed is entered into MySQL and then there's a page that pulls the stuff out of MySQL and sends it to the browser.

Here's what I'm wondering.
Lets say the user types something like <?php echo('blarg'); ?> into the text box and then submit it.
Is there any way that they can get PHP to read that text as code to be executed (and would therefor print out 'blarg'), or does php ALWAYS treat that as a string and then just put it in MySQL as "<?php echo('blarg'); ?>" and then when it goes to put it on the page to view it will put "<?php echo('blarg'); ?>" in the html source instead of actually executing the commands (like echo).

Echo doesnt really matter, but it's important because if they can do that then they can read files off the web server that have passwords coded into them.

Skull

No, as far as I know it won't process any php that you put through a form

laserlight

does php ALWAYS treat that as a string

Yes, unless you use say, [man]eval/man on the incoming data, which would be very silly especially when there is no or insufficient validation performed.

rehfeld

you also need to watch out for sql injection

http://www.php.net/manual/en/security.database.sql-injection.php

toplay

Originally posted by andy753421
...it doesnt seem very secure because other people have access to the same site in order to post messages and I'm afraid someone will be able to post a message and they could just have the message contain a php script to get the password from the password_file.php and the use it to do whatever they want.

Keep any include files or other sensitive data/files off the public web directory (and place in the root or sub-directory off the root).

You need to validate all input coming to you through forms. As already stated, PHP won't execute any code unless eval() is used. To be safe, you can use strip_tags() to remove HTML and PHP from the input.

md5() is a form of one way encryption. Maybe you should think about using two way encryption using mcrypt/libmcrypt since you want to be able to get at the original password.

To encrypt with that library requires that you generate a key. Again, open to a bit of risk if someone gets a hold of the key (they can decrypt the password, etc.).

You can also make your script(s) not readable/protected. You can achieve that with products such as http://www.codelock.co.nz. There are others of course, but this one has the best feature to price ratio.

hth.

andy753421

Thanks for all the help so far.

Keep any include files or other sensitive data/files off the public web directory (and place in the root or sub-directory off the root).

If my host doesnt allow me to have write access anywhere but the htdocs directory is it that important, or is there anything else (.htaccess) that will suffice?

You need to validate all input coming to you through forms. As already stated, PHP won't execute any code unless eval() is used. To be safe, you can use strip_tags() to remove HTML and PHP from the input.

If php wont execute any code why is this important, other than keeping the pages looking clean and checking for MySQL cracks?

toplay

Yes, .htaccess will suffice if you don't have access to root.

A big percentage of code logic is taken up by error checking. So, you always edit/filter input data. If you don't mind that there's HTML/PHP tags stored in you DB, then so be it. A waste of DB/disk space if you ask me.

I only allow what I want, period.