Security questions with passwords, etc

Alex_Dude_122

I'm writing a simple php script: basically a blog sort of script. But to get there I've wrote a login system.

If password entered matches correct password, go ahead.

$user = "value1";
$pass = "value2";

if($password == $pass AND $username == $user) {

} else { 

exit; 

}

Could someone find the password? Is there a safer way to do this?

dougal85

well... that part looks pretty good. apart from your PHP syntax is wrong.

an and in PHP is && not AND.

$user = "value1";
$pass = "value2";

if($password == $pass && $username == $user) {

} else { 

exit; 

}

I guess you are just having one static password and it can't be changed. This is OK, but just make sure you use a good password. to stop hammering and brut force guessing of the password you could allow 5 attempts per IP or something.

Most security flaws that I am aware of come with SESSIONS or querying databases. You will need to considered sessions if you want to password protect more than one page? Otherwise they will need to enter the password each page they go to.

dougal85

oh yeah... and how are you doing the login page? is it on the same page as the protect matierial?

You have only given us a very very small piece of code to look at!

laserlight

Actually, and is a valid PHP keyword, and is almost equivalent to && save for a lower precedence.

As for someone finding out the password - well, if they can read your source code, they can read your password. Either way such hardcoding of username/password tends to be rather inflexible.

dougal85

really... wow, i had never considered using 'and'! I guess you learn something everyday!

Alex_Dude_122

I will be using sessions. It's a two page script, one for login, second for the blog posting inputs. I haven't built the script yet. I just wanted to know if that was secure enough.

The login is on a page called admin.php and when the user fills in the username/password, it sends the data to admin2.php where the password/username compare bit is.

suntra

When using passwords, I always use MD5 encryption, and I add a special string...

For example, if the password is "1234567", I will add a constant string, let's say "tomorrowisnewyear_", so the result is "tomorrowisnewyear_1234567", and then MD5()-it : 50bd081721a77abe6cd752df60608146

So when checking the password...

Sent password = 1234567
MD5 string to be checked : MD5('tomorrowisnewyear_1234567')
Does that encrypted string equal the one stored in the DB ?