[FX.php List] Password encryption and PHP security

Lindal, Mark mlindal at pfc.cfs.nrcan.gc.ca
Tue Nov 13 15:52:29 MST 2007


re: password encryption
We are stuck in FM6 unlimited for a bit so SSL is not as straight forward as when we upgrade to version 9 as I understand.
Other suggestions include some password hashing and storing "hashed" password in the database.  That seems a bit extreme and will involve a bit more work.
Any thoughts?


-----Original Message-----
From: Bob Patin [mailto:bob at patin.com]
Sent: Tue 11/13/2007 5:21 PM
To: FX.php Discussion List
Subject: Re: [FX.php List] Password encryption and PHP security
 
Mark,

Why didn't you just put an SSL cert on the submission form? That would  
encrypt the form and is easy enough to do...

Bob Patin

--------------------------

On Nov 13, 2007, at 3:54 PM, Lindal, Mark wrote:

> Our IT people have shut down our filemaker database and Bookstore.
>
> There were two issues:
> 1. The server started trying to access remote devices and sites
> 2. They are concerned about the PHP security, in particular the
> non-encryption of passwords.
> My form is:
> <form action="loginok_e.php" method="post" name="login_e">
>                            <input type="hidden" name="action"
> value="current"> <input type="hidden" name="lastpage" value="<? echo
> $referpage;?>"> <input type="hidden" name="flag" value="login_e">  
> <!-- This
> may come in handy if we want to avoid sending a person to a change  
> page.-->
>                            <table width="396" border="0"  
> cellspacing="2"
> cellpadding="0">
>                                <tr>
>                                    <td width="95">UserID:</td>
>                                    <td width="10"></td>
>                                    <td width="200"><input type="text"
> name="userid" value="<? if($CustomerNumber!=0) {echo
> $customerdata['userid'][0];}?>" size="30"></td>
>                                    <td class="button2" rowspan="2"
> width="100"><input type="submit" name="login" value="Login"></td>
>                                </tr>
>                                <tr>
>                                    <td width="95">Password:</td>
>                                    <td width="10"></td>
>                                    <td width="200"><input  
> type="password"
> name="Password" size="30"></td>
>                                </tr>
>                            </table>
>                            <input
> onclick="location.href='login_e.php?action=new'" type="button"  
> name="new"
> value="New Customer"> <input onclick="location.href='getuserid_e.php'"
> type="button" name="new" value="Forgot my userID or Password">
>                        </form>
>
> When receiving the login form I do the following:
> if(isset($_POST['userid'])) {$CustomerID = $_POST['userid']; } else
> {$CustomerID='';}
> if(isset($_POST['Password'])) {$Password = $_POST['Password']; } else
> {$Password='';}
>
> if($CustomerID=='' or $Password=='') {header("Location:  
> $error1url"); exit;}
>
> if($CustomerID!='' && $Password!='') {
>        $viewcustomer=new FX($serverIP,$webCompanionPort);
>        $viewcustomer->SetDBPassword($db_password);
>        $viewcustomer->SetDBData('PUB_WebClient_.fp5','ForWeb');
>        $viewcustomer->AddDBParam('userid',$CustomerID, 'eq');
>        $viewcustomer->AddDbParam('Password',$Password, 'eq');
>        $viewcustomerResult=$viewcustomer->FMFind();
>        } else {
>        header( "Location: $error1url" );
>        exit ;}
>    if($viewcustomerResult['errorCode']!=0) {
>        header( "Location: $error1url" );
>        exit ;}
>
> Any ideas?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 4095 bytes
Desc: not available
Url : http://www.iviking.org/pipermail/fx.php_list/attachments/20071113/2ab2bf55/attachment.bin


More information about the FX.php_List mailing list