Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: PHP MySQL
Hello all,
 
Yesterday, navigating the Q&A I saw a nice question[^] regarding what to do to avoid someone to steal the username and password from a web site or database in case they were stored as plain text…
 
Of course there are PHP files that are hidden from the search engines and therefore nobody should see them, but there’s always that possibility…
 
Reading the answer to the question I saw that OriginalGriff[^] answered that the best option would be something like using hash strings[^] to achieve that.
 
Of course the advantage is clear: if something happens and/or fails no one should be able to know the username and password of all the system compromising it.
 
In my case there is a PHP page that asks for a username and a password to access some special pages that allow the user to do site maintenance and other things…
 
In all the special pages I must check if the user has logged in correctly or not… just to ensure that no one will access one of the password protected pages directly bypassing the log in security php page.
 
After asking the lounge which would be the best way to ask this and seeing that I had two questions that needed the same introduction (that was long Blush | :O ) I decided to post both of them in that way.
 
My two questions are:
 
FIRST QUESTION:
In all the special pages I’m looking for a specific $_SESSION variable to ensure that the user has logged in let’s say $_SESSION[“loginok”].
 
If that variable value is FALSE then I send the user to the log in page and just after sending the form I check the hash value… if it has been a success then I modify the value again and set it to TRUE.
 
Is it possible for any user out there to know which variable I’m using and to modify it directly? I mean: a super easy way to hack the security would be to change the FALSE for a TRUE in that variable. Can this happen? And if it can happen… how should be avoided?

SECOND QUESTION:
In order to connect to the MySQL database I need the database name, the address where to find it, the user name and the password to be sent as parameters to the connection call mysql_connect.
 
How do you avoid writing the username and password in plain text here? The mysql_connect function requires them to be passed as parameter…
 
Now, without being capable to imagine a solution to that point… I’m guessing that the problem faced at the beginning of this question reappears again here… any solution about that?
 
Well, I know that it has been a strange question with two long questions inside… Sorry for that...
 
Thank you in advance for reading it and for your effort if you answer me!
 
Thumbs Up | :thumbsup:
Posted 10-May-11 21:18pm
Joan Murt81.4K
Comments
S Mewara at 11-May-11 4:31am
   
5!
Joan Murt at 11-May-11 6:32am
   
Thank you Sandeep!

1 solution

Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

1: Session variables are stored on the server - an ID that identifies the session is passed from the browser to the server in a cookie or as part of the query string. Editing the values of variables in the session is possible if you have access to the session storage, which means being able to edit files on the server or updating fields in a database. If an attacker has access to edit the session then they have already gained more access than they should have.
 
2: The important thing is not to store the username and password where anyone can read it. Also, make sure your MySQL privileges are limited to only what the application requires, in case the username and password are discovered by an attacker. Limit access by IP address to just the server so it cannot be used to log in remotely too (and disable remote access to MySQL completely if you don't need it).
  Permalink  
Comments
Joan Murt at 12-May-11 2:29am
   
Yes, I'm afraid you are right... and if that is the case... I can't see any sense onputting extra efforts using sha1 and similar methods... my 5... and my acceptance as a solution...

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 OriginalGriff 330
1 Nirav Prabtani 242
2 Richard Deeming 240
3 CHill60 170
4 _Amy 145
0 OriginalGriff 8,104
1 Sergey Alexandrovich Kryukov 7,045
2 Maciej Los 4,039
3 Peter Leow 3,738
4 CHill60 2,912


Advertise | Privacy | Mobile
Web04 | 2.8.140721.1 | Last Updated 11 May 2011
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100