[FX.php List] Password encryption and PHP security
Gjermund Gusland Thorsen
ggt667 at gmail.com
Wed Nov 14 00:20:33 MST 2007
Instead of
---
$viewcustomer->AddDBParam('userid',$CustomerID, 'eq');
$viewcustomer->AddDbParam('Password',$Password, 'eq');
---
I tend to use a separat field that stores both in one:
---
$viewcustomer->AddDBParam( 'valid', sh1( $CustomerID. '/*/' .
$Password, 'eq' );
---
If it's for a bank you will need SSL on top that no matter what.
ggt667
On 11/13/07, Lindal, Mark <mlindal at pfc.forestry.ca> wrote:
> Our IT people have shut down our filemaker database and Bookstore.
>
> There were two issues:
> 1. The server started trying to access remote devices and sites
> 2. They are concerned about the PHP security, in particular the
> non-encryption of passwords.
> My form is:
> <form action="loginok_e.php" method="post" name="login_e">
> <input type="hidden" name="action"
> value="current"> <input type="hidden" name="lastpage" value="<? echo
> $referpage;?>"> <input type="hidden" name="flag" value="login_e"> <!-- This
> may come in handy if we want to avoid sending a person to a change page.-->
> <table width="396" border="0" cellspacing="2"
> cellpadding="0">
> <tr>
> <td width="95">UserID:</td>
> <td width="10"></td>
> <td width="200"><input type="text"
> name="userid" value="<? if($CustomerNumber!=0) {echo
> $customerdata['userid'][0];}?>" size="30"></td>
> <td class="button2" rowspan="2"
> width="100"><input type="submit" name="login" value="Login"></td>
> </tr>
> <tr>
> <td width="95">Password:</td>
> <td width="10"></td>
> <td width="200"><input type="password"
> name="Password" size="30"></td>
> </tr>
> </table>
> <input
> onclick="location.href='login_e.php?action=new'" type="button" name="new"
> value="New Customer"> <input onclick="location.href='getuserid_e.php'"
> type="button" name="new" value="Forgot my userID or Password">
> </form>
>
> When receiving the login form I do the following:
> if(isset($_POST['userid'])) {$CustomerID = $_POST['userid']; } else
> {$CustomerID='';}
> if(isset($_POST['Password'])) {$Password = $_POST['Password']; } else
> {$Password='';}
>
> if($CustomerID=='' or $Password=='') {header("Location: $error1url"); exit;}
>
> if($CustomerID!='' && $Password!='') {
> $viewcustomer=new FX($serverIP,$webCompanionPort);
> $viewcustomer->SetDBPassword($db_password);
> $viewcustomer->SetDBData('PUB_WebClient_.fp5','ForWeb');
> $viewcustomer->AddDBParam('userid',$CustomerID, 'eq');
> $viewcustomer->AddDbParam('Password',$Password, 'eq');
> $viewcustomerResult=$viewcustomer->FMFind();
> } else {
> header( "Location: $error1url" );
> exit ;}
> if($viewcustomerResult['errorCode']!=0) {
> header( "Location: $error1url" );
> exit ;}
>
> Any ideas?
>
> ------------------------------
> Mark Lindal
> mlindal at nrcan.gc.ca
> 250-363-0603
>
>
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
More information about the FX.php_List
mailing list