when using login functionalty in webpage, best practice validating inputed data?
i'm not talking big scale of users single admin role. webpage not using databases , therefore don't want include funtionallity 1 account.
at moment use if-statement inputed data , hardcoded password , somehow feels unsafe @ same time users can't see php-code long don't server, or wrong?
if($password == 'mypassword123') by way, there way of downloading actual .php file server (from user perspective).
hash password! never store in plaintext.
and stop misconfiguration revealing password store password outside of web root if php reveal code, client/attacker not access actual hash/file. here simple example using crypt() function inside simple user function check pass.
<?php function check_pass($password){ $chkpass = file_get_contents(dirname(__file__).'/../path_outside/webroot/adminpass.txt'); if(crypt($password, $chkpass) == $chkpass){ return true; }else{ return false; } } /* file adminpass.txt contains hash $1$mh0.l.1.$anx9btlqpfgpkaxk4bdym. mypassword in plaintext */ if (check_pass($_post['password'])) { echo "ok!"; }else{ echo "fail!"; } ?> 
Comments
Post a Comment