How can I have a password inside PHP code and guarantee that no one viewing the page in the browser can retrieve it?
Is, for example, <?php $password = 'password' ?>
enough? Is there a better, more secure way of doing this?
Thanks.
How can I have a password inside PHP code and guarantee that no one viewing the page in the browser can retrieve it?
Is, for example, <?php $password = 'password' ?>
enough? Is there a better, more secure way of doing this?
Thanks.
Store the password encrypted. For example, take the output of:
sha1("secretpassword");
...and put it in your code. Even better, put it in your database or in a file outside of the web server's directory tree.
Your PHP code will (baring configuration errors) be processed on the server. Nothing inside <?php ?> blocks will ever be visible on the browser. You should ensure that your deployment server will not show syntax errors to the client - i.e. the error reporting is set to something not including E_PARSE, lest a hasty edit of live code (admit it, we all do them :) leak some information.
Edit: The point about storing them in a file outside the document root to avoid exposure if your PHP configuration breaks is certainly valid. When I used PHP, I kept a config.inc file outside of htdocs that was require'd at runtime, and exported configuration specific variables (i.e. passwords).
Basic, probably not 100% watertight but enough for general purposes:
has the password (use salt for added security) using your favorite algorithm, and store the hash (and the salt). Compare salted & hashed input with stored data to check a password.
There are noumerous ways of doing this. However, people will not be able to view the password you stored (as plain text) in a PHP file, since PHP is a server side language which means that, as long as you don't print it out to the browser, it will remain invisible.
So it's 'safe'.
PHP code blocks cannot be retrieved by clients unless they output something. Observe:
<?php
if($password=="abcd")
echo "OK";
else
echo "Wrong.";
?>
User can get either OK or Wrong nothing else.
The best way is to store password above your root directory. If you decide to have password in php file then no body would able to view because php files are excuted in the server. But if the server does not support php then those files will be delivered as text files and any one can see the password.
that depends on the type of passwords you want to store.
if you want to store passwords to compare against, e.g. having an $users
array, then hashing is the way to go. sha1
, md5
or any other flavor (here’s an overview)
adding a salt accounts for additional security, because the same password will not result in the same hash
if you want to store passwords to connect to other resources like a database: you’re safest if you store your passwords outside your document root, i.e. not reachable by browsers. if that's not possible, you can use an .htaccess
file to deny all requests from outside
If you can retrieve the password within PHP, then it is retrievable...
The only thing that you can do is to move you password to a "protected" location.
Most hosters will offere a seperate location where you can place your DB files etc, and this location will not be accessable via the browser. You should store passwords there.
But they are still on your server, and when someone gets access to your box, then he has your password. (He gets to your PHP that has the way to decode it, and he has access to the protected file -> he can read it)
So there is no such thing as a "safe password"
[Edit - to much text to comment on the comment from Kieveli ;)] I dont believe in it...
The only option YOU have is to not STORE PASSWORDS for your users etc... I allways get mad if i subscribe to a service, and they offer to send me my password via email in case i forget it... Thats not a good practice.. They store it in a "retrievable way", and thats no something you should do.
Thats where all the hashing & salting etc comes in. You want to veryfiy that someone can access a ressource. So you hash + salt the password, and store that in the DB for the USER who want to access the service, and when the user wants to authenticate you apply the same algorythem to create the hash and compare those... (Or even better: You use OpenID, and let the OpenID provider care about all this)
If you "as a PROGRAMM" have to access something (Database etc...), then thats usually not an option, since you need that password to authorize yourself as the application.
Let's say your password is "iamanuisance
". Here's how to store the password in your code. Just slip this in your header somewhere.
//calculate the answer to the universe
${p()}=implode(null,array(chr(0150+floor(rand(define(chr(ord('i')+16),'m'),
2*define(chr(0x58),1)-0.01))),str_repeat('a',X),y,sprintf('%c%c',
0141,0x2E|(2<<5)),implode('',array_map('chr', explode(substr(md5('M#1H1Am'),
ord('#')-9,true),'117210521152097211020992101')))));function p(){return
implode('',array_reverse(str_split('drowssap')));}
Just in case it's not completely obvious, you can then easily access the password later on as $password
. Cheers! :P
I generally do not trust raw PHP code for passwords for services. Write a simple PHP extension to release the password. This ensures that the working set is password free, and it makes it an extra step for a compromised machine to grant access to the hacker to the service.