Topic awaiting preservation: Security Issue (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=12841" title="Pages that link to Topic awaiting preservation: Security Issue (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: Security Issue <span class="small">(Page 1 of 1)</span>\$

quisja Paranoid (IV) Inmate From: everywhere Insane since: Jun 2002	posted 07-31-2003 22:09 Say I have a PHP script thusso: code: <?php $password = $_POST['password']; if($password == "secretchiznit") { //do secret stuff } else { //tell user they're not allowed secret stuff } ?> Just how secure is a method like this (i.e. posting from a form)? Ignoring the possibility of someone else being on my computer when I go onto this page, can people see my PHP or intercept the data? Is it OK to rely on this, since I'm just pretecting a file upload page from any old joe looking at it, not actually dealing with secret chiznit? Thanx [edit]Changed to double equals. Getting languages mixed up.[/edit] [This message has been edited by quisja (edited 08-01-2003).]
DmS Paranoid (IV) Inmate From: Sthlm, Sweden Insane since: Oct 2000	posted 07-31-2003 23:04 Well, to be picky that snip will let everyone in since you are assigning the cleartext password instead of comparing it... " = " is assign, " == " is compare. Well if you are worried about some dude that can't go beyond viewing source and the content isn't more valuable than that, ok, I'll buy it. Otherwise, no way! There are lot's of better ways to do it. Let the value of your information decide the level of security you want to apply. Since you are talking about a fileupload page you are protecting a hole into the server that ppl can use to upload almost anything if there is a lack of safeguards in the upload as well. Yeah, I think I'd be a bit harder on security here. /Dan {cell 260} -{ a vibration is a movement that doesn't know which way to go }- [This message has been edited by DmS (edited 07-31-2003).]
quisja Paranoid (IV) Inmate From: everywhere Insane since: Jun 2002	posted 08-03-2003 01:14 Ok, what direction should I be looking into then? I had a look at the Apache method, but couldn't seem to get it working, and scripts can access the file anyway. What's the best way of doing it built into the PHP code?
Tyberius Prime Paranoid (IV) Mad Scientist with Finglongers From: Germany Insane since: Sep 2001	posted 08-03-2003 09:22 well, the usual way, and the only change I see to improve your method, is to a) not store the password, but store an md5() of it (md5 is a one way hash algorithm... you'd then compare the md5 of the real passwword with the md5 of the user supplied password. b) encrypt the whole connection (=https), otherwise, one will still be able to fetch the password on any cable between you and the server.

Topic awaiting preservation: Security Issue (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=12841" title="Pages that link to Topic awaiting preservation: Security Issue (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: Security Issue <span class="small">(Page 1 of 1)</span>\$

quisja
Paranoid (IV) Inmate

From: everywhere
Insane since: Jun 2002

posted 07-31-2003 22:09

Say I have a PHP script thusso:

code:

<?php

$password = $_POST['password'];

if($password == "secretchiznit") {

    //do secret stuff

} else {

    //tell user they're not allowed secret stuff

}

?>

Just how secure is a method like this (i.e. posting from a form)? Ignoring the possibility of someone else being on my computer when I go onto this page, can people see my PHP or intercept the data? Is it OK to rely on this, since I'm just pretecting a file upload page from any old joe looking at it, not actually dealing with secret chiznit?
Thanx

[edit]Changed to double equals. Getting languages mixed up.[/edit]

[This message has been edited by quisja (edited 08-01-2003).]

DmS
Paranoid (IV) Inmate

From: Sthlm, Sweden
Insane since: Oct 2000

posted 07-31-2003 23:04

Well, to be picky that snip will let everyone in since you are assigning the cleartext password instead of comparing it...
" = " is assign, " == " is compare.

Well if you are worried about some dude that can't go beyond viewing source and the content isn't more valuable than that, ok, I'll buy it.
Otherwise, no way!
There are lot's of better ways to do it.

Let the value of your information decide the level of security you want to apply.
Since you are talking about a fileupload page you are protecting a hole into the server that ppl can use to upload almost anything if there is a lack of safeguards in the upload as well.
Yeah, I think I'd be a bit harder on security here.
/Dan

{cell 260}
-{ a vibration is a movement that doesn't know which way to go }-

[This message has been edited by DmS (edited 07-31-2003).]

quisja
Paranoid (IV) Inmate

From: everywhere
Insane since: Jun 2002

posted 08-03-2003 01:14

Ok, what direction should I be looking into then? I had a look at the Apache method, but couldn't seem to get it working, and scripts can access the file anyway. What's the best way of doing it built into the PHP code?

Tyberius Prime
Paranoid (IV) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted 08-03-2003 09:22

well, the usual way, and the only change I see to improve your method,
is to
a) not store the password, but store an md5() of it (md5 is a one way hash algorithm... you'd then compare the md5 of the real passwword with the md5 of the user supplied password.
b) encrypt the whole connection (=https), otherwise, one will still be able to fetch the password on any cable between you and the server.