[FX.php List] Password encryption and PHP security

Lindal, Mark mlindal at pfc.forestry.ca
Tue Nov 13 14:54:01 MST 2007 

Our IT people have shut down our filemaker database and Bookstore.

There were two issues:
1. The server started trying to access remote devices and sites
2. They are concerned about the PHP security, in particular the
non-encryption of passwords.
My form is:
<form action="loginok_e.php" method="post" name="login_e">
                            <input type="hidden" name="action"
value="current"> <input type="hidden" name="lastpage" value="<? echo
$referpage;?>"> <input type="hidden" name="flag" value="login_e"> <!-- This
may come in handy if we want to avoid sending a person to a change page.-->
                            <table width="396" border="0" cellspacing="2"
cellpadding="0">
                                <tr>
                                    <td width="95">UserID:</td>
                                    <td width="10"></td>
                                    <td width="200"><input type="text"
name="userid" value="<? if($CustomerNumber!=0) {echo
$customerdata['userid'][0];}?>" size="30"></td>
                                    <td class="button2" rowspan="2"
width="100"><input type="submit" name="login" value="Login"></td>
                                </tr>
                                <tr>
                                    <td width="95">Password:</td>
                                    <td width="10"></td>
                                    <td width="200"><input type="password"
name="Password" size="30"></td>
                                </tr>
                            </table>
                            <input
onclick="location.href='login_e.php?action=new'" type="button" name="new"
value="New Customer"> <input onclick="location.href='getuserid_e.php'"
type="button" name="new" value="Forgot my userID or Password">
                        </form>

When receiving the login form I do the following:
if(isset($_POST['userid'])) {$CustomerID = $_POST['userid']; } else
{$CustomerID='';}
if(isset($_POST['Password'])) {$Password = $_POST['Password']; } else
{$Password='';}

if($CustomerID=='' or $Password=='') {header("Location: $error1url"); exit;}

if($CustomerID!='' && $Password!='') {
        $viewcustomer=new FX($serverIP,$webCompanionPort);
        $viewcustomer->SetDBPassword($db_password);
        $viewcustomer->SetDBData('PUB_WebClient_.fp5','ForWeb');
        $viewcustomer->AddDBParam('userid',$CustomerID, 'eq');
        $viewcustomer->AddDbParam('Password',$Password, 'eq');
        $viewcustomerResult=$viewcustomer->FMFind();
        } else {
        header( "Location: $error1url" );
        exit ;}
    if($viewcustomerResult['errorCode']!=0) {
        header( "Location: $error1url" );
        exit ;}

Any ideas?

------------------------------
Mark Lindal
mlindal at nrcan.gc.ca
250-363-0603

More information about the FX.php_List mailing list