[FX.php List] Password encryption and PHP security

Bob Patin bob at patin.com
Tue Nov 13 16:37:21 MST 2007


I also use SSL all the time with my PHP sites... I don't know why FM6  
would make any difference. Someone correct me if I'm wrong, but what  
would be the difference between using an FM6 database and an FM8 or 9  
database?


On Nov 13, 2007, at 5:29 PM, Bob Patin wrote:

> I've used SSL with FM6 many times; I haven't tried it with PHP, but  
> used it a lot with CDML. I'm not sure why there would be any issues;  
> someone correct me, but why can you not just use SSL for the input  
> form, stay in SSL until the process is complete?
>
> Best,
>
> Bob Patin
> Longterm Solutions
> bob at longtermsolutions.com
> 615-333-6858
> http://www.longtermsolutions.com
> Member of FileMaker Business Alliance and FileMaker TechNet
>
>  CONTACT US VIA INSTANT MESSAGING:
>     AIM or iChat: longterm1954
>     Yahoo: longterm_solutions
>     MSN: tech at longtermsolutions.com
>     ICQ: 159333060
>
> --------------------------
> Contact us for FileMaker hosting for all versions of FileMaker
> PHP • CDML • Full email services • Free DNS hosting • Colocation •  
> Consulting
>
> On Nov 13, 2007, at 4:52 PM, Lindal, Mark wrote:
>
>> re: password encryption
>> We are stuck in FM6 unlimited for a bit so SSL is not as straight  
>> forward as when we upgrade to version 9 as I understand.
>> Other suggestions include some password hashing and storing  
>> "hashed" password in the database.  That seems a bit extreme and  
>> will involve a bit more work.
>> Any thoughts?
>>
>>
>> -----Original Message-----
>> From: Bob Patin [mailto:bob at patin.com]
>> Sent: Tue 11/13/2007 5:21 PM
>> To: FX.php Discussion List
>> Subject: Re: [FX.php List] Password encryption and PHP security
>>
>> Mark,
>>
>> Why didn't you just put an SSL cert on the submission form? That  
>> would
>> encrypt the form and is easy enough to do...
>>
>> Bob Patin
>>
>> --------------------------
>>
>> On Nov 13, 2007, at 3:54 PM, Lindal, Mark wrote:
>>
>>> Our IT people have shut down our filemaker database and Bookstore.
>>>
>>> There were two issues:
>>> 1. The server started trying to access remote devices and sites
>>> 2. They are concerned about the PHP security, in particular the
>>> non-encryption of passwords.
>>> My form is:
>>> <form action="loginok_e.php" method="post" name="login_e">
>>>                          <input type="hidden" name="action"
>>> value="current"> <input type="hidden" name="lastpage" value="<? echo
>>> $referpage;?>"> <input type="hidden" name="flag" value="login_e">
>>> <!-- This
>>> may come in handy if we want to avoid sending a person to a change
>>> page.-->
>>>                          <table width="396" border="0"
>>> cellspacing="2"
>>> cellpadding="0">
>>>                              <tr>
>>>                                  <td width="95">UserID:</td>
>>>                                  <td width="10"></td>
>>>                                  <td width="200"><input type="text"
>>> name="userid" value="<? if($CustomerNumber!=0) {echo
>>> $customerdata['userid'][0];}?>" size="30"></td>
>>>                                  <td class="button2" rowspan="2"
>>> width="100"><input type="submit" name="login" value="Login"></td>
>>>                              </tr>
>>>                              <tr>
>>>                                  <td width="95">Password:</td>
>>>                                  <td width="10"></td>
>>>                                  <td width="200"><input
>>> type="password"
>>> name="Password" size="30"></td>
>>>                              </tr>
>>>                          </table>
>>>                          <input
>>> onclick="location.href='login_e.php?action=new'" type="button"
>>> name="new"
>>> value="New Customer"> <input  
>>> onclick="location.href='getuserid_e.php'"
>>> type="button" name="new" value="Forgot my userID or Password">
>>>                      </form>
>>>
>>> When receiving the login form I do the following:
>>> if(isset($_POST['userid'])) {$CustomerID = $_POST['userid']; } else
>>> {$CustomerID='';}
>>> if(isset($_POST['Password'])) {$Password = $_POST['Password']; }  
>>> else
>>> {$Password='';}
>>>
>>> if($CustomerID=='' or $Password=='') {header("Location:
>>> $error1url"); exit;}
>>>
>>> if($CustomerID!='' && $Password!='') {
>>>      $viewcustomer=new FX($serverIP,$webCompanionPort);
>>>      $viewcustomer->SetDBPassword($db_password);
>>>      $viewcustomer->SetDBData('PUB_WebClient_.fp5','ForWeb');
>>>      $viewcustomer->AddDBParam('userid',$CustomerID, 'eq');
>>>      $viewcustomer->AddDbParam('Password',$Password, 'eq');
>>>      $viewcustomerResult=$viewcustomer->FMFind();
>>>      } else {
>>>      header( "Location: $error1url" );
>>>      exit ;}
>>>  if($viewcustomerResult['errorCode']!=0) {
>>>      header( "Location: $error1url" );
>>>      exit ;}
>>>
>>> Any ideas?
>>
>>
>> <winmail.dat>_______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list



More information about the FX.php_List mailing list