SOLVED: how to encrypt password in php file (no database involved)
I am designing a website that is not yet ready for public viewing. But I do want friends and colleagues to be able to log on and give me design and content advice (they don't know anything about web design). The site does not hold anything that needs particularly strong security.
I first setup password protection using the .htaccess method. This worked fine for initial entry to the website but caused havoc with the blog, forum and gallery within the site. As the software for these three progs are all in the root folder, the user was continually being asked for the username/PW again and again, when these pages were accessed. My friends have got fed up with me! So now I have installed a small php script that allows me to password protect any/all the pages i want. This works much better, but obviously, this is not very secure because the password is in plain text in the main php script. I have searched and searched for a simple method to encrypt the PW in the php file but have not really got anywhere. I use linux, so Windows software options are out. Most other stuff seems to involve encryption of database entries. I can't afford another database just for this (have used up my ISP's quota). Can anyone point me to a method to achieve what I want? Thanks |
You can store a hash of the password (MD5 or SHA1 for example). When the user enters his password, compute the hash and compare it to what you stored. This way you never keep the password on file.
|
Quote:
Wow - thanks for the prompt reply. It sounds just what I want but have no idea how to do it! I'll google for some help, but if you have a mo, perhaps you could point me in the right direction as well. I am pretty good at css/html, a bit feeble at php and useless at most other things, so treat me gently!. Cheers |
Here is a really simple example.
|
Quote:
RJ |
Sorry about this, but I have a new bit of info that I should have given you before.
First, though, I had a go with the sample php from the link and it works fine as far as entering a string and converting it to a hash. I then opened the php script on my website that sets up the password requirement. I intended to see how to fit the hash requirement in it, but then saw something suggesting that there is md5 encoding taking place. The relevant code looks like this: Code:
<?php Hopefully, you can help me understand why it is set out like this and how to turn it into a request for the hash instead. I tried to contact the author, but I see there are no replies to pages of previous requests for support so this is probably not the best script to use. Just for completeness, the php file then switches to html to display the log in dialogue. It looks like this: Code:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> Thanks |
The password will be entered by the user from your form, so you would get it from the variable $_POST['password'], so change the code in your first snippet to:
Code:
$pass = $_POST['password']; Code:
if (isset($_POST['password'])) |
Quote:
What I have done is encrypt the correct password, using md5, and then entered the result in the "$pass = " statement. Then, later in the code I have the script encrypt whatever is submitted as the PW using md5 and check it against the one set earlier. I don't suppose this is very elegant, but it works! have included the full php script here in case anyone is interested. Code:
<?php |
Note: technically you're hashing the password, not encrypting it. If you truly encrypted it, there should be a function to decrypt it. Hashing doesn't work that way, it's a one-way function.
|
Quote:
|
You know more PHP than I do. Hashing is a generic computer science term. It's pretty useful too!
|
I don't know much about php but I know better than to mess with that slackware. Can't believe you tell people you don't even know that you use that stuff. You should wait to tell people until you know them better. Only one up from Gentoo at the bottom of the ladder - Debian (proper) rules!! Only joking of course....
RJ |
Slackware was the first distro I ever used and after that everything else sucked ;)
|
All times are GMT -5. The time now is 01:17 AM. |