Innervisions Innervisions - 7 months ago 25
PHP Question

About Username and password security

I am making a custom storage page,to store information.

<form action="files/form.php" method="post">
<input type="text" name="username" placeholder="Username" value="" autocomplete="off">
<input type="password" name="password" placeholder="Password" value="" autocomplete="off">
<input name="submit" value="Send" type="submit"></input>
</form>


So here is the form I have it set to a premade user and password that are saved in MySQL database.When the form is sent it goes to

form.php file which contains the form that the user will input his information

<?php
$user = $_POST["username"];
$pass = $_POST["password"];
?>
<?php if ($user == "Admin" && $pass == "12345"){ ?>
form.php content goes in here
<?php }else{ ?>
<span>Wrong password</span>
<?php } ?>


So the main question here is,is this actually safe? or I should look up a better way to do this

The way i plan to keep a user logged in is to keep the $user and $password in a $_SESSION untill the user visits logout.php which will clear the SESSION

My code actually works ,its fine.

I just want to know if this is safe?
Note:User and Password are placeholder for the moment it wont be 12345

Answer

The problem here is that if anyone were to gain access to your source code (which is a major risk if you are sharing your host with other users/sites) can see what the password is.

The recommended way to store a password is to use a one-way hash - that is to say only the encrypted version of the password is ever stored. This would usually have the password stored in the database in its encrypted form, and you would then encrypt (using the same method) the user's input and check the encrypted form against the one in the database.

I won't expand your answer to use a database, but here it is statically set which should at least help explain what I mean:

<?php 
    $user = $_POST["username"];
    $pass = $_POST["password"];
?>
<?php if ($user == "Admin" && sha1($pass) == "8cb2237d0679ca88db6464eac60da96345513964"){ ?>
    //form.php content goes in here
<?php }else{ ?>
    <span>Wrong password</span>
<?php } ?>

Note that I have used sha1 encryption here, there are plenty of others to choose from other than this too. Also note that 8cb2237d0679ca88db6464eac60da96345513964 is the hash as returned by sha1("12345").

Hope this helps!