Yesterday, navigating the Q&A I saw a nice question
] regarding what to do to avoid someone to steal the username and password from a web site or database in case they were stored as plain text…
Of course there are PHP files that are hidden from the search engines and therefore nobody should see them, but there’s always that possibility…
Reading the answer to the question I saw that OriginalGriff
] answered that the best option would be something like using hash strings
] to achieve that.
Of course the advantage is clear: if something happens and/or fails no one should be able to know the username and password of all the system compromising it.
In my case there is a PHP page that asks for a username and a password to access some special pages that allow the user to do site maintenance and other things…
In all the special pages I must check if the user has logged in correctly or not… just to ensure that no one will access one of the password protected pages directly bypassing the log in security php page.
After asking the lounge which would be the best way to ask this and seeing that I had two questions that needed the same introduction (that was long
) I decided to post both of them in that way.
My two questions are:
In all the special pages I’m looking for a specific $_SESSION variable to ensure that the user has logged in let’s say $_SESSION[“loginok”].
If that variable value is FALSE then I send the user to the log in page and just after sending the form I check the hash value… if it has been a success then I modify the value again and set it to TRUE.
Is it possible for any user out there to know which variable I’m using and to modify it directly? I mean: a super easy way to hack the security would be to change the FALSE for a TRUE in that variable. Can this happen? And if it can happen… how should be avoided?
In order to connect to the MySQL database I need the database name, the address where to find it, the user name and the password to be sent as parameters to the connection call mysql_connect.
How do you avoid writing the username and password in plain text here? The mysql_connect function requires them to be passed as parameter…
Now, without being capable to imagine a solution to that point… I’m guessing that the problem faced at the beginning of this question reappears again here… any solution about that?
Well, I know that it has been a strange question with two long questions inside… Sorry for that...
Thank you in advance for reading it and for your effort if you answer me!