LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Programming (https://www.linuxquestions.org/questions/programming-9/)
-   -   how to encrypt password in php file (no database involved) (https://www.linuxquestions.org/questions/programming-9/how-to-encrypt-password-in-php-file-no-database-involved-665042/)

arjay 08-24-2008 12:17 PM
SOLVED: how to encrypt password in php file (no database involved)
 
I am designing a website that is not yet ready for public viewing. But I do want friends and colleagues to be able to log on and give me design and content advice (they don't know anything about web design). The site does not hold anything that needs particularly strong security.

I first setup password protection using the .htaccess method. This worked fine for initial entry to the website but caused havoc with the blog, forum and gallery within the site. As the software for these three progs are all in the root folder, the user was continually being asked for the username/PW again and again, when these pages were accessed. My friends have got fed up with me!

So now I have installed a small php script that allows me to password protect any/all the pages i want. This works much better, but obviously, this is not very secure because the password is in plain text in the main php script.

I have searched and searched for a simple method to encrypt the PW in the php file but have not really got anywhere. I use linux, so Windows software options are out. Most other stuff seems to involve encryption of database entries. I can't afford another database just for this (have used up my ISP's quota).

Can anyone point me to a method to achieve what I want?

Thanks

Randux 08-24-2008 01:43 PM
You can store a hash of the password (MD5 or SHA1 for example). When the user enters his password, compute the hash and compare it to what you stored. This way you never keep the password on file.

arjay 08-24-2008 01:49 PM
Quote:
Originally Posted by Randux (Post 3258159)
You can store a hash of the password (MD5 or SHA1 for example). When the user enters his password, compute the hash and compare it to what you stored. This way you never keep the password on file.

Wow - thanks for the prompt reply. It sounds just what I want but have no idea how to do it! I'll google for some help, but if you have a mo, perhaps you could point me in the right direction as well. I am pretty good at css/html, a bit feeble at php and useless at most other things, so treat me gently!.

Cheers

win32sux 08-24-2008 05:28 PM
Here is a really simple example.

arjay 08-25-2008 01:11 AM
Quote:
Originally Posted by win32sux (Post 3258334)
Here is a really simple example.
Thanks so much for the link. I'll have a play with it today and see what happens. It is a bit up the learning curve for me. But at least I can trade off trial and error experience for knowledge and ability!

RJ

arjay 08-25-2008 03:53 AM
Sorry about this, but I have a new bit of info that I should have given you before.

First, though, I had a go with the sample php from the link and it works fine as far as entering a string and converting it to a hash. I then opened the php script on my website that sets up the password requirement. I intended to see how to fit the hash requirement in it, but then saw something suggesting that there is md5 encoding taking place. The relevant code looks like this:

Code:
<?php

/* Config Section */

$pass                = 'justanexample';                                // Set the password.
$cookiename        = 'sascookie';                                // Optional change: Give the cookie a name. Default is sascookie
$expirytime        = time()+3600;                                // Optional change: Set an expiry time for the password (in seconds). Default is 1 hour.
$msg                = 'Password incorrect. Please try again.';        // Optional change: Error message displayed when password is incorrect. Default is "Password incorrect".

/* End Config */

/* FUNCTIONS */
$encrypt_pass=md5($pass);        // encrypt password

function setmycookie() {
global $cookiename,$encrypt_pass,$expirytime;
        setcookie($cookiename,$encrypt_pass,$expirytime);
}       

function show_login_page($msg) {
?>
What I don't understand is that the password is in plain text at the top of the page, then there is an encrypt statement lower down. But presumably, anyone getting to this php file will be able to extract the password anyway?

Hopefully, you can help me understand why it is set out like this and how to turn it into a request for the hash instead.

I tried to contact the author, but I see there are no replies to pages of previous requests for support so this is probably not the best script to use.

Just for completeness, the php file then switches to html to display the log in dialogue. It looks like this:

Code:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Authorization Required</title>
<style type="text/css">
<!--
.error {color:#A80000}
body {font:90% Verdana, Arial, sans-serif;color:#404040}
#wrapper {width:800px;margin:0 auto;border:1px solid #606060}
#main {text-align:center;padding:15px}
#header {font:bold 130% Verdana, Arial, sans-serif;color:#DDDDDD;width:100%;height:5em;text-align:center;background:#A80000;line-height:5em}
#mid {margin:5em 0 5em 0}
#footer {font-size:75%;text-align:center;width:100%}
input {border:1px solid #606060; background: #DDDDDD}
-->
</style>
</head>
<body>
<div id="wrapper">
        <div id="header">Authorization Required</div>
<div id="main">
        <div id="mid">
                <p>Please enter the password below to login. </p>

                <p>Once logged in, you won't need to re-enter the password for one hour. </p>

                <p>Cookies must be enabled on your PC for access to work.</p>
               
                <form action="" method="POST">
                        Password:&nbsp;<input type="password" name="password" size="20">&nbsp;
                        <input type="submit" value="Login">
                        <input type="hidden" name="sub" value="sub">
                </form>
                <div class=error><?=$msg?></div>
        </div>
</div>
</div>
<div id="footer">Authentication by <a href="http://www.zann-marketing.com/sas/">Simple Authorization Script</a> Copyright &copy; 2005.</div>
</body>
</html>
<? }
Any help would really be appreciated.

Thanks

graemef 08-25-2008 04:48 PM
The password will be entered by the user from your form, so you would get it from the variable $_POST['password'], so change the code in your first snippet to:

Code:
$pass = $_POST['password'];
Later you will want to add a test that the password has actually been entered:

Code:
if (isset($_POST['password']))
  $pass = $_POST['password'];
else
  $pass = '';

arjay 08-26-2008 02:27 AM
Quote:
Originally Posted by graemef (Post 3259495)
The password will be entered by the user from your form, so you would get it from the variable $_POST['password'], so change the code in your first snippet to:

Code:
$pass = $_POST['password'];
Thanks for replying. This didn't quite work because I had forgotten to show the actual password somewhere else and compare it against the submitted one. But your suggestion gave me the clue I needed.

What I have done is encrypt the correct password, using md5, and then entered the result in the "$pass = " statement. Then, later in the code I have the script encrypt whatever is submitted as the PW using md5 and check it against the one set earlier.

I don't suppose this is very elegant, but it works! have included the full php script here in case anyone is interested.

Code:
<?php

/* Config Section */

$pass                = 'hash version of correct PW';                                // Set the password.
$cookiename        = 'sascookie';                                // Optional change: Give the cookie a name. Default is sascookie
$expirytime        = time()+3600;                                // Optional change: Set an expiry time for the password (in seconds). Default is 1 hour.
$msg                = 'Password incorrect. Please try again.';        // Optional change: Error message displayed when password is incorrect. Default is "Password incorrect".

/* End Config */



/* FUNCTIONS */

function setmycookie() {
global $cookiename,$encrypt_pass,$expirytime;
        setcookie($cookiename,$encrypt_pass,$expirytime);
}       

function show_login_page($msg) {
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Authorization Required</title>
<style type="text/css">
<!--
.error {color:#A80000}
body {font:90% Verdana, Arial, sans-serif;color:#404040}
#wrapper {width:800px;margin:0 auto;border:1px solid #606060}
#main {text-align:center;padding:15px}
#header {font:bold 130% Verdana, Arial, sans-serif;color:#DDDDDD;width:100%;height:5em;text-align:center;background:#A80000;line-height:5em}
#mid {margin:5em 0 5em 0}
#footer {font-size:75%;text-align:center;width:100%}
input {border:1px solid #606060; background: #DDDDDD}
-->
</style>
</head>
<body>
<div id="wrapper">
        <div id="header">Authorization Required</div>
<div id="main">
        <div id="mid">
                <p>Please enter the password below to login. </p>

                <p>Once logged in, you won't need to re-enter the password for one hour. </p>

                <p>Cookies must be enabled on your PC for access to work.</p>
               
                <form action="" method="POST">
                        Password:&nbsp;<input type="password" name="password" size="20">&nbsp;
                        <input type="submit" value="Login">
                        <input type="hidden" name="sub" value="sub">
                </form>
                <div class=error><?=$msg?></div>
        </div>
</div>
</div>
<div id="footer">Authentication by <a href="http://www.zann-marketing.com/sas/">Simple Authorization Script</a> Copyright &copy; 2005.</div>
</body>
</html>
<? }

/* END FUNCTIONS */

$errormsg='';
if (substr($_SERVER['REQUEST_URI'],-7)!='sas.php') {// if someone tries to request sas.php
        if (isset($_POST['sub'])) {                                                // if form has been submitted
                $submitted_pass=md5($_POST['password']);        // encrypt submitted password
                if ($submitted_pass<>$pass) {                // if password is incorrect
                        $errormsg=$msg;
                        show_login_page($errormsg);
                        exit();
                } else {                                                                        // if password is correct
                        setmycookie();
                }
        } else {
                if (isset($_COOKIE[$cookiename])) {                        // if cookie isset
                        if ($_COOKIE[$cookiename]==$pass) {        // if cookie is correct
                          // do nothing
                        } else {                                                                // if cookie is incorrect
                                show_login_page($errormsg);
                                exit();
                        }
                } else {                                                                        // if cookie is not set
                        show_login_page($errormsg);
                        exit();
                }
        }
} else {
        echo 'Sorry - this is not going to work.';
}
?>

Randux 08-26-2008 07:01 AM
Note: technically you're hashing the password, not encrypting it. If you truly encrypted it, there should be a function to decrypt it. Hashing doesn't work that way, it's a one-way function.

arjay 08-26-2008 10:16 AM
Quote:
Originally Posted by Randux (Post 3260091)
Note: technically you're hashing the password, not encrypting it. If you truly encrypted it, there should be a function to decrypt it. Hashing doesn't work that way, it's a one-way function.
I stand corrected - thanks. I am trying to learn my way round php and all things similar so I should start getting the terminology right!

Randux 08-27-2008 12:01 PM
You know more PHP than I do. Hashing is a generic computer science term. It's pretty useful too!

arjay 08-27-2008 03:48 PM
I don't know much about php but I know better than to mess with that slackware. Can't believe you tell people you don't even know that you use that stuff. You should wait to tell people until you know them better. Only one up from Gentoo at the bottom of the ladder - Debian (proper) rules!! Only joking of course....

RJ

Randux 08-28-2008 12:38 PM
Slackware was the first distro I ever used and after that everything else sucked ;)


All times are GMT -5. The time now is 01:17 AM.