[FX.php List] Password encryption and PHP security
Gjermund Gusland Thorsen
ggt667 at gmail.com
Wed Nov 14 00:20:57 MST 2007
Sorry typo
$viewcustomer->AddDBParam( 'valid', sh1( $CustomerID. '/*/' .
$Password ), 'eq' );
ggt667
On 11/14/07, Gjermund Gusland Thorsen <ggt667 at gmail.com> wrote:
> Instead of
> ---
> $viewcustomer->AddDBParam('userid',$CustomerID, 'eq');
> $viewcustomer->AddDbParam('Password',$Password, 'eq');
> ---
> I tend to use a separat field that stores both in one:
> ---
> $viewcustomer->AddDBParam( 'valid', sh1( $CustomerID. '/*/' .
> $Password, 'eq' );
> ---
>
> If it's for a bank you will need SSL on top that no matter what.
>
> ggt667
>
> On 11/13/07, Lindal, Mark <mlindal at pfc.forestry.ca> wrote:
> > Our IT people have shut down our filemaker database and Bookstore.
> >
> > There were two issues:
> > 1. The server started trying to access remote devices and sites
> > 2. They are concerned about the PHP security, in particular the
> > non-encryption of passwords.
> > My form is:
> > <form action="loginok_e.php" method="post" name="login_e">
> > <input type="hidden" name="action"
> > value="current"> <input type="hidden" name="lastpage" value="<? echo
> > $referpage;?>"> <input type="hidden" name="flag" value="login_e"> <!-- This
> > may come in handy if we want to avoid sending a person to a change page.-->
> > <table width="396" border="0" cellspacing="2"
> > cellpadding="0">
> > <tr>
> > <td width="95">UserID:</td>
> > <td width="10"></td>
> > <td width="200"><input type="text"
> > name="userid" value="<? if($CustomerNumber!=0) {echo
> > $customerdata['userid'][0];}?>" size="30"></td>
> > <td class="button2" rowspan="2"
> > width="100"><input type="submit" name="login" value="Login"></td>
> > </tr>
> > <tr>
> > <td width="95">Password:</td>
> > <td width="10"></td>
> > <td width="200"><input type="password"
> > name="Password" size="30"></td>
> > </tr>
> > </table>
> > <input
> > onclick="location.href='login_e.php?action=new'" type="button" name="new"
> > value="New Customer"> <input onclick="location.href='getuserid_e.php'"
> > type="button" name="new" value="Forgot my userID or Password">
> > </form>
> >
> > When receiving the login form I do the following:
> > if(isset($_POST['userid'])) {$CustomerID = $_POST['userid']; } else
> > {$CustomerID='';}
> > if(isset($_POST['Password'])) {$Password = $_POST['Password']; } else
> > {$Password='';}
> >
> > if($CustomerID=='' or $Password=='') {header("Location: $error1url"); exit;}
> >
> > if($CustomerID!='' && $Password!='') {
> > $viewcustomer=new FX($serverIP,$webCompanionPort);
> > $viewcustomer->SetDBPassword($db_password);
> > $viewcustomer->SetDBData('PUB_WebClient_.fp5','ForWeb');
> > $viewcustomer->AddDBParam('userid',$CustomerID, 'eq');
> > $viewcustomer->AddDbParam('Password',$Password, 'eq');
> > $viewcustomerResult=$viewcustomer->FMFind();
> > } else {
> > header( "Location: $error1url" );
> > exit ;}
> > if($viewcustomerResult['errorCode']!=0) {
> > header( "Location: $error1url" );
> > exit ;}
> >
> > Any ideas?
> >
> > ------------------------------
> > Mark Lindal
> > mlindal at nrcan.gc.ca
> > 250-363-0603
> >
> >
> >
> > _______________________________________________
> > FX.php_List mailing list
> > FX.php_List at mail.iviking.org
> > http://www.iviking.org/mailman/listinfo/fx.php_list
> >
>
More information about the FX.php_List
mailing list