[FX.php List] Password encryption and PHP security

Bob Patin bob at patin.com
Tue Nov 13 16:29:33 MST 2007 

I've used SSL with FM6 many times; I haven't tried it with PHP, but  
used it a lot with CDML. I'm not sure why there would be any issues;  
someone correct me, but why can you not just use SSL for the input  
form, stay in SSL until the process is complete?

Best,

Bob Patin
Longterm Solutions
bob at longtermsolutions.com
615-333-6858
http://www.longtermsolutions.com
Member of FileMaker Business Alliance and FileMaker TechNet

   CONTACT US VIA INSTANT MESSAGING:
      AIM or iChat: longterm1954
      Yahoo: longterm_solutions
      MSN: tech at longtermsolutions.com
      ICQ: 159333060

--------------------------
Contact us for FileMaker hosting for all versions of FileMaker
PHP • CDML • Full email services • Free DNS hosting • Colocation •  
Consulting

On Nov 13, 2007, at 4:52 PM, Lindal, Mark wrote:

> re: password encryption
> We are stuck in FM6 unlimited for a bit so SSL is not as straight  
> forward as when we upgrade to version 9 as I understand.
> Other suggestions include some password hashing and storing "hashed"  
> password in the database.  That seems a bit extreme and will involve  
> a bit more work.
> Any thoughts?
>
>
> -----Original Message-----
> From: Bob Patin [mailto:bob at patin.com]
> Sent: Tue 11/13/2007 5:21 PM
> To: FX.php Discussion List
> Subject: Re: [FX.php List] Password encryption and PHP security
>
> Mark,
>
> Why didn't you just put an SSL cert on the submission form? That would
> encrypt the form and is easy enough to do...
>
> Bob Patin
>
> --------------------------
>
> On Nov 13, 2007, at 3:54 PM, Lindal, Mark wrote:
>
>> Our IT people have shut down our filemaker database and Bookstore.
>>
>> There were two issues:
>> 1. The server started trying to access remote devices and sites
>> 2. They are concerned about the PHP security, in particular the
>> non-encryption of passwords.
>> My form is:
>> <form action="loginok_e.php" method="post" name="login_e">
>>                           <input type="hidden" name="action"
>> value="current"> <input type="hidden" name="lastpage" value="<? echo
>> $referpage;?>"> <input type="hidden" name="flag" value="login_e">
>> <!-- This
>> may come in handy if we want to avoid sending a person to a change
>> page.-->
>>                           <table width="396" border="0"
>> cellspacing="2"
>> cellpadding="0">
>>                               <tr>
>>                                   <td width="95">UserID:</td>
>>                                   <td width="10"></td>
>>                                   <td width="200"><input type="text"
>> name="userid" value="<? if($CustomerNumber!=0) {echo
>> $customerdata['userid'][0];}?>" size="30"></td>
>>                                   <td class="button2" rowspan="2"
>> width="100"><input type="submit" name="login" value="Login"></td>
>>                               </tr>
>>                               <tr>
>>                                   <td width="95">Password:</td>
>>                                   <td width="10"></td>
>>                                   <td width="200"><input
>> type="password"
>> name="Password" size="30"></td>
>>                               </tr>
>>                           </table>
>>                           <input
>> onclick="location.href='login_e.php?action=new'" type="button"
>> name="new"
>> value="New Customer"> <input  
>> onclick="location.href='getuserid_e.php'"
>> type="button" name="new" value="Forgot my userID or Password">
>>                       </form>
>>
>> When receiving the login form I do the following:
>> if(isset($_POST['userid'])) {$CustomerID = $_POST['userid']; } else
>> {$CustomerID='';}
>> if(isset($_POST['Password'])) {$Password = $_POST['Password']; } else
>> {$Password='';}
>>
>> if($CustomerID=='' or $Password=='') {header("Location:
>> $error1url"); exit;}
>>
>> if($CustomerID!='' && $Password!='') {
>>       $viewcustomer=new FX($serverIP,$webCompanionPort);
>>       $viewcustomer->SetDBPassword($db_password);
>>       $viewcustomer->SetDBData('PUB_WebClient_.fp5','ForWeb');
>>       $viewcustomer->AddDBParam('userid',$CustomerID, 'eq');
>>       $viewcustomer->AddDbParam('Password',$Password, 'eq');
>>       $viewcustomerResult=$viewcustomer->FMFind();
>>       } else {
>>       header( "Location: $error1url" );
>>       exit ;}
>>   if($viewcustomerResult['errorCode']!=0) {
>>       header( "Location: $error1url" );
>>       exit ;}
>>
>> Any ideas?
>
>
> <winmail.dat>_______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list

More information about the FX.php_List mailing list