Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Regular Coder Common's Avatar
    Join Date
    Jan 2009
    Location
    Glasgow, UK
    Posts
    133
    Thanks
    16
    Thanked 13 Times in 13 Posts

    Security Implications of Hard-Coding Password?

    Hello!

    This is just out of curiosity, something I've always wondered. Whenever I'm making a login system, I have a users MySQL table with an encrypted password which is checked when the user tries to login.

    Provided it's not necessary to offer automatic registrations, as that would be a pain without SQL, would it be MORE or LESS secure to actually just hardcode the username and password into your executing PHP file (example below)? As far as I know there's no way to access the unprocessed source code bar hacking into the server, but if that happens they can do what they like with your database etc anyway.

    Code:
    <?php
    
    if($_POST[username]=="john" && $_POST[password]=="letmein"){
    echo "You are now logged in.";
    }
    
    ?>
    It seems instinctive that this would be insecure, but what I want to know is why?

    Many thanks!

  • #2
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,476
    Thanks
    63
    Thanked 538 Times in 525 Posts
    If the php interpreter fails for any reason, your file isn't executed but is instead just served straight to the client.

    Most of us use database connection details in that way (usually in another file preferably in a directory thats not publicy accessible) but using actual script login details hard coded isn't a great idea.
    I can't really think of anything to write here now...

  • #3
    Regular Coder Arcticwarrio's Avatar
    Join Date
    May 2012
    Location
    UK
    Posts
    738
    Thanks
    20
    Thanked 85 Times in 85 Posts
    only people who can access your files can see that,

    if you want to protect it from anybody you'd need basic hash or similar

    this is the same as the code you posted

    PHP Code:
    if($_POST[username]=="john" && md5($_POST[password])=="0d107d09f5bbe40cade3de5c71e9e9b7"){
    echo 
    "You are now logged in.";

    There are 10 types of people on CodingForums,
    Those who understand Binary and those who dont.
    Get Cloud Hosting now from only£59 / month

  • #4
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,108
    Thanks
    11
    Thanked 101 Times in 99 Posts
    if the file with that information is above your web-root then it's as you note, no more or less secure then a config file with your mysql user and password in it.

    If you only have one user or so and dont want to use a datbase you could also use HTTP authentication with .htaccess .htpasswd etc.
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #5
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,642
    Thanks
    0
    Thanked 649 Times in 639 Posts
    If the passwords in the database are hashed then even with access to the server the person can't see what the passwords are. They may be able to work out A password that hashes to the given value but if the hash also uses a salt then even if they do work out a value that works as the password they will not be able to use that same password to break into other sites where the person has stupidly used the same password.

    If instead you store the password in plain text in the database then anyone who gains access to the server can try out the username/password combinations on other sites so as to break into any accounts that people have that use the same password.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •