[FX.php List] Password encryption and PHP security

Gjermund Gusland Thorsen ggt667 at gmail.com
Wed Nov 14 00:20:33 MST 2007


Instead of
---
       $viewcustomer->AddDBParam('userid',$CustomerID, 'eq');
       $viewcustomer->AddDbParam('Password',$Password, 'eq');
---
I tend to use a separat field that stores both in one:
---
       $viewcustomer->AddDBParam( 'valid', sh1( $CustomerID. '/*/' .
$Password, 'eq' );
---

If it's for a bank you will need SSL on top that no matter what.

ggt667

On 11/13/07, Lindal, Mark <mlindal at pfc.forestry.ca> wrote:
> Our IT people have shut down our filemaker database and Bookstore.
>
> There were two issues:
> 1. The server started trying to access remote devices and sites
> 2. They are concerned about the PHP security, in particular the
> non-encryption of passwords.
> My form is:
> <form action="loginok_e.php" method="post" name="login_e">
>                             <input type="hidden" name="action"
> value="current"> <input type="hidden" name="lastpage" value="<? echo
> $referpage;?>"> <input type="hidden" name="flag" value="login_e"> <!-- This
> may come in handy if we want to avoid sending a person to a change page.-->
>                             <table width="396" border="0" cellspacing="2"
> cellpadding="0">
>                                 <tr>
>                                     <td width="95">UserID:</td>
>                                     <td width="10"></td>
>                                     <td width="200"><input type="text"
> name="userid" value="<? if($CustomerNumber!=0) {echo
> $customerdata['userid'][0];}?>" size="30"></td>
>                                     <td class="button2" rowspan="2"
> width="100"><input type="submit" name="login" value="Login"></td>
>                                 </tr>
>                                 <tr>
>                                     <td width="95">Password:</td>
>                                     <td width="10"></td>
>                                     <td width="200"><input type="password"
> name="Password" size="30"></td>
>                                 </tr>
>                             </table>
>                             <input
> onclick="location.href='login_e.php?action=new'" type="button" name="new"
> value="New Customer"> <input onclick="location.href='getuserid_e.php'"
> type="button" name="new" value="Forgot my userID or Password">
>                         </form>
>
> When receiving the login form I do the following:
> if(isset($_POST['userid'])) {$CustomerID = $_POST['userid']; } else
> {$CustomerID='';}
> if(isset($_POST['Password'])) {$Password = $_POST['Password']; } else
> {$Password='';}
>
> if($CustomerID=='' or $Password=='') {header("Location: $error1url"); exit;}
>
> if($CustomerID!='' && $Password!='') {
>         $viewcustomer=new FX($serverIP,$webCompanionPort);
>         $viewcustomer->SetDBPassword($db_password);
>         $viewcustomer->SetDBData('PUB_WebClient_.fp5','ForWeb');
>         $viewcustomer->AddDBParam('userid',$CustomerID, 'eq');
>         $viewcustomer->AddDbParam('Password',$Password, 'eq');
>         $viewcustomerResult=$viewcustomer->FMFind();
>         } else {
>         header( "Location: $error1url" );
>         exit ;}
>     if($viewcustomerResult['errorCode']!=0) {
>         header( "Location: $error1url" );
>         exit ;}
>
> Any ideas?
>
> ------------------------------
> Mark Lindal
> mlindal at nrcan.gc.ca
> 250-363-0603
>
>
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>


More information about the FX.php_List mailing list