Johan
|
| Posted: 10/01/2004, 11:56 AM |
|
I'm not a php expert but did ever hear about the unsafety of php password scripts. Is the use of a login option via codecharge php script safe?
Second question, common.php stores the password literally wtithin the file. Of course it's possible to protect the file from abuse but a literally stored password in a file (mere like a mysql/php bug than a codecharge problem) is asking the devil to drop by.
Two questions to be answered by experts hanging round in here
Thanks
|
|
|
 |
feha
Posts: 712
|
| Posted: 10/01/2004, 3:57 PM |
|
Quote :codecharge php script safe?
I can say it is more than 95% safe.
If you use HTTPS:// than is 99.99% safe.
Login and Password fields use a POST submission,
which is better than GET ... could "remember" your browser the get link with all submitted info ( including password).
If someone "listening" your traffic between you and the website you login he may "catch" your password no matter what kind of script you are using.That's rare case.
The best is use of HTTPS:// for sensitive data and CCS is supporting 100%.
Quote :Second question, common.php stores the password literally within the file
Ok it stores in DB but as a plain text, I suggest before storing the password use md5($password) it requires some changes ...
_________________
Regards
feha
www.vision.to
feedpixel.com |
 |
|
greg
|
| Posted: 10/04/2004, 6:48 AM |
|
Johan wrote:
> I'm not a php expert but did ever hear about the unsafety of php password
> scripts. Is the use of a login option via codecharge php script safe?
As safe as any other http-based authentification. The easy way to make
it safer is to use https (but you need a https server); the other way
would be a unix-style hash, but that would mean including a javascript
hash function (doable, suggest it ;)
> Second question, common.php stores the password literally wtithin the file. Of
> course it's possible to protect the file from abuse but a literally stored
> password in a file (mere like a mysql/php bug than a codecharge problem) is
> asking the devil to drop by.
You have to store it somewhere. Furthermore, if your DB is properly
configured, the password you're using to access the DB should be valid
only for the tables you want CCS to access, and only from the host the
webserver is running on, which means having this password wouldn't allow
anyone from anywhere else.
You don't have to do anything to protect the file containing the
password, since it's a .php file it should be processed by the webserver
and therefore output a blank page (unless of course you have side access
to your files, like frontpage or filesharing or buggy webserver).
Greg
|
|
|
|
|
