tags:

views:

223

answers:

2
Q: 

Are there any demerit if I use JSON as the storage mechanism, for storing ID/password information ?

I asked for PHP login system and I got answers,

  1. lots of files tactics
    * aaa.txt(content is aaa-pass)
    * bbb.txt(content is bbb-pass)
    * and scandir.
  2. XML
  3. CSV
  4. MySQL
  5. SQLite
  6. PEAR::AUTH

But no one mentioned about JSON.
but I feel JSON is the best way for me.
Because it looks easy , and PHP has JSON dedicated built-in function.
So I am considering to choose JSON for my login system,
but I want to confirm that there is any demerit
if I use JSON for my login script.

Anyone have any opinions?

A: 

I'd definitely give you a bunch of demerits, for two major reasons:

1) Never trust anything happening on the client, especially code executing on the client such a javascript. More simply, users can easily modify your authentication code, effectively rendering your authentication useless.

2) Your user database is directly http accessible and in plain text and most likely easily spotted from the source of your scripts or with a HTTP debugger. So after they end up as admin, they will have all your user names and passwords to play with as well.

If you need a login system, build a login system. Or at least fall back on whatever http authentication methods your web server supports.

Wyatt Barnett  2009-06-10 13:04:30
To be fair, nobody mentioned the client (I'm **assuming** php can do JSON at the server); and most servers provide a mechanism to deny access to certain files,.
Marc Gravell  2009-06-10 13:07:27
True, but if you deny access to your serliazed JSON password database, then your ajax scripts can't read it, defeating purpose of storing said password database.
Wyatt Barnett  2009-06-10 14:06:22
I'm making the assumption that the OP is only talking about using JSON as the storage mechanism at the server (the same as a flat file, xml, etc), and that at no point would the client attempt to load it, AJAX or otherwise.
Marc Gravell  2009-06-10 14:13:21
OP means me? .
Jonathan itou  2009-06-10 15:03:06
@Jonathan itou - yes, you are the Original Poster
Dominic Rodger  2009-06-10 15:12:28
+1  A: 

JSON is as good as any other plain text format for this. Just be sure not to store passwords in plain text. Save them only in a hashed form. And remember to use a salt when hashing. And, whenever it’s possible, try to keep this file out of document root, or at least deny access to it via server configuration.

Maciej Łebkowski  2009-06-10 13:18:47

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases