Protecting Passwords -- Encryption needed?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I write a simple php script where I can post news to my website.  There
is an html page (makenews.html) that has forms for username (in this
example it is 'admin'), password (in this example it is 'admin'),
subject line and message body.  Once I fill out the information and
click submit, the html page sends the info to makenews.php.  This
script starts out with:

if ($_POST["username"] == "admin" && $_POST["password"] == "admin"){
   //do all of the news posting stuff here
   //some warning/error message is echoed

So my question: This php script is going to be containing my unique
username and password once I decide if it is safe or not.  Is it?  I
put it up for a minute and tried to download the actual php file but
every time I just got a file containing my error message echo.  But I
still dont feel very safe having my password in plain text like that.
What should I do about this?

And if you guys don't mind I have another simple question that I dont
feel deserves its own topic.  In relation to this...
I have the following code in makenews.html
Enter Body:<br><textarea name="body" cols=30 rows=10></textarea>
Which works fine except that any new lines that are entered in this
text area are omitted in $_POST["body"].  If I physically type a <p> or
<br> tag into the textarea it gets properly interpreted but I know
there has to be another way.  For example as i'm typing right now, I
could hit enter a few times and it will be recorded and transferred
into my topic.  What are the escape characters for a new line in a php
string and what can I do about this?

Thanks in advance for all the help -- you guys (and gals) are great

Re: Protecting Passwords -- Encryption needed?

I forgot to mention that I have searched far and wide for solutions to
both problems.  I'm asking you all as a last resort -- if you have any
links with further info please do share.  I'm more than happy to learn
about it on my own but I simply couldn't find a possible solution.  Any
password/encrytption stuff I searched for seemed to want to talk about
mySQL which I have no idea what is (some sort of database?) -- or if I
would even want to get involved in another huge task.


Re: Protecting Passwords -- Encryption needed?

Robizzle wrote:
Quoted text here. Click to load it

There are really two independent questions here:

1. Can the user name and password hard-coded into a PHP script be
   read by other users of your server (including administrators)?

   The answser: ON A PROPERLY CONFIGURED SERVER, no.  But you
   cannot be sure of the proper configutation on a Web hosting
   company's server.  Hence, a simple recommendation:

   if ($_POST["username"] == 'admin' and
       md5($_POST["password"]) == '21232f297a57a5a743894a0e4a801fc3'){
     //do all of the news posting stuff here
   } else {
     //some warning/error message is echoed

   The string 21232f297a57a5a743894a0e4a801fc3, as you can guess,
   is the MD5 hash of the word "admin".  So even if the Web hosting
   company'a administrators can take a peek at your files, all they
   would see is a hash of the password, not the actual password.

2. Can the data I put into a form (including user name and password)
   be intercepted in transit?

   Theoretically, yes.  How often it actually occurs is anyone's
   guess.  The protection here is to transmit data over secure
   HTTP (https://), but that requires availability of SSL on the
   server.  In practice, this is often believed to be redundant
   for simple content management applications; the cost of
   security measures seems to exceed probable losses from absense
   of security...  


Re: Protecting Passwords -- Encryption needed?

Robizzle wrote:

NC answered your first question well, so no reason for me to suggest the
same thing here.

Quoted text here. Click to load it

For the text that is posted from the textarea, the newline characters
are submitted. Your problem is that you simply echo the result. The
thing to remember is that a textarea field acts just like plain text.
When it is rendered in the browser, the whitespace like new lines are
replaced with a single space. Try using nlbr($_POST['body']) which will
add <br /> tags with your newline characters for a (more) proper HTML

Justin Koivisto, ZCE -

Site Timeline