tags:

views:

55

answers:

4
Q: 

Secure password list in PHP

Hello, I'm thinking about storing list of passwords for users (eventually more info about them) of small-scale (max. 20 users) app in PHP file in directory like public_html_root/system/config/

<?php if($calledByApp !== true) die();
  $pwds['username1'] = 'hispassword';
  $pwds['username2'] = 'herpassword';
  $pwds['username3'] = 'anotheroned';
?>

Now. hispassword is actually hashed version

$hashedpasword = sha1($password.sha1($salt));

This way, if file is included, it checks for $calledByApp, which is set upon starting from entry point - i.e. index.php in root, so we could say it's safe this way. If it's called directly from browser - it won't get served as text file, but rather as PHP file - and it will die also, since $calledByApp will return null or false.

Also, if another user is stored/deleted, the file gets rebuilt, so it reflects all users. And after including this file, we have all users in pretty array, so if we call 

if (is_string($pwds[$sanitized_username]) 
&& ($pwds[$sanitized_username] === $sanitized_sha1_userpassword))

we'll do login.

My question is: Is this safe enough?

Clarification: DB for users seems to be a bit overkill - another table for max 20 users. Also, while this doesn't check if user is real, it won't do anything with DB - looks like added security too.

A: 

It's always safer to store the encrypted passwords in a database.

If you are using a database then I would store user data in there. If not then I would look to start using one.

Lizard  2010-02-10 11:25:59
Yeah, well, I should clarify, that it seems to be a bit overkill - another table for **max** 20 users. Also, while this doesn't check if user *is* real, it won't do anything with DB - looks like added security too.
Adam Kiss  2010-02-10 11:27:39
@Adam you could use sqlite. It's pretty lightweight.
Gordon  2010-02-10 11:51:04
@Gordon - am I not screwed if no SQLite on server?
Adam Kiss  2010-02-10 11:55:35
@Adam well, yes, you cannot use it then. But it's not like you *have* to use it anyway. I just wanted to suggest one that you wouldn't have to be concerned about being overkill, since it's a flatfile anyway.
Gordon  2010-02-10 12:07:34
@Gordon, yes, good suggestion. I'm just taking all possibilities to account :] And situation is, that I met with pretty strange and f*cked up hostings nowadays...
Adam Kiss  2010-02-10 12:45:12
+5  A: 

If for some reason mod_php has a hiccup it could result in httpd showing the uninterpreted file; store the script outside of the document root in order to fix this.

Ignacio Vazquez-Abrams  2010-02-10 11:27:37
Well, of course it won't be in root (e.g.`myapp.com/admin`), more like i wrote up there (edited v.)
Adam Kiss  2010-02-10 11:32:26
+3  A: 

I would rather place that file outside of document root instead of relying on the PHP interpreter not failing for any reason.

kemp  2010-02-10 11:28:33
Well, of course it won't be in root (e.g.`myapp.com/admin`), more like i wrote up there (edited v.)
Adam Kiss  2010-02-10 11:31:55
I mean completely outside of the tree accessible from the web browser, not in a subdir of your root.
kemp  2010-02-10 11:33:02
+1  A: 

No - this is a really bad idea.

By making your souce code files writeable you open a whole avenue for attacking your system. Embedding data into source code is a messy practice - not least because it will not scale. What happens if the file is locked for an update when a script tries to include it? What happens when the connection to the browser is lost part way through writing the file?

If you're quite sure that you'll only ever have a very small number of users and a low level of concurrency then abetter solution by far would be to have a seperate directory, with all http access denied, containing one file per user, named with the username (or a hash of it if you prefer) containing the hashed password.

C.

symcbean  2010-02-10 12:48:33

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases