Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Hide, best as I can, an encryption password from code viewers

Posted on 2004-10-11
Medium Priority
Last Modified: 2006-11-17
I realize that I will eventually need zend to be able to do this but I know there are ways to hide it "good enough" for a foreseable future.

What I have is a system setup to be able to use one website's (HOME) user system across many different websites (AWAY)  by basically a 4 step process...

1. Ask HOME for the login auth described in step 3
2. HOME checks if the user is logged in at HOME, if not asks user to type login details and login
3. Sends username, userid, and time of logging in to the originating website with a hash of those entries with the special encrypting password to be sure that the login is valid and legal from HOME.
4. AWAY stores all of that in a cookie to stay logged in.

function makeit($timecheck) {
        $nerderg = "firstportionofpassforhash";
        $nerdarga = "secondportionofpassforhash";
        return md5($this->user.$nerderg.$timecheck.$nerdarga.$this->username);

That is the function that creates the hash for sending in step 3.

What I need is to be able to prevent people from finding "$nerdarg" and "$nerdarga" in my php code when they view it. The people who I will be sending this source are from a 1-10 level of trust, 10 being the best: 6.

I was thinking about masking base64_decode() with another name and adding my own little encryption/decryption scheme to make it that extra step harder. Then moving it all around in a bunch of drawn out step's across the code.

Not very practical so I was wondering what any of you think would be the best alternative to my option and zend / another pay encryptor.

I would give this a 500 point but i'm new here :/
Question by:ThePCNerd
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 12282815
i dont understand how they will be able to see the password?  first they have to know the password it wont be on the site???

then if they cant see the encryption because it wont be in the code it will be in sessions.. (i would use sessions not cookies!!)

really need more info?? dont understand what your trying to do? are you using a Database to store passwords?

Author Comment

ID: 12283334
Hmm everyone becomes confused on this, I am not talking about users/clients period. I am talking about me copying my code putting it on another person i barely know's server and them going in ftp downloading the file and looking at the password used within the encryption to thus make thier own fake key to login as anybody at any of the websites using my technology.

Expert Comment

ID: 12284470
Well,  you could store the passwords at a trusted server (in eg. a database) and upon login authenticate clients against that, rather than locally.

However, if you store files at an untrusted location, nobody prevents the untrusted people from simply modifying your PHP page to bypass the authentication itself, right?

Even major software publishers, like Microsoft, who do distribute their close-source and key-coded, get ripped off by serial number generators and suchlike. So, there is no 100% cure, even compiling your software.

Except, perhaps, you can store not only authentication, but some key parts of your application at a trusted site - so that some processing is done at your place, and even if people copy your software, they can't do anything without having a proper auth with you.

You should look for the possibility of making breaking the authentication not worth it. Ie. the cost/time on breaking should exceed the product price.

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.


Author Comment

ID: 12288732
Well each website has it's own auth verification so the corrupted website owner could only fake login on his site if he were to go around it.

What I need is to hide the password used in the hash of data so that whoever gets my code cant fake a cookie for any of the domains that use the login system.

Expert Comment

ID: 12290874
The main question is whether anyone who gets the code, can change it for the running website.

If not, then why someting as simple shouldn't work:

make an additional MD5 hash, and write in the PHP code the resulting hash;

$pass_hash = "nuiasdhu1273y23bki"; // the resulting hash, not the password is shown here.

if ( md5($user_sent_password) == $pass_hash)
   // good user

Author Comment

ID: 12291899
This is not a user password.

Ok you all understand how a file hash works, it makes sure that the data you have is the data that is real.

Well I have that for all remote login's, that way all the remote sites dont have to ask for the user database or ask the main site to check the login, I simply store 3 cookies at the remote site (user, username, and passhash)

The passhash ensures nobody changes the userid to another person so they can't fake the login.

And so  creating thier own new hash can be more difficult, i add two password phrases within the hash which i then later confirm at the remote website whenever a function needs to know if the user is logged in.

If you read my first post, you should of undestood this and that I wasn't talking about a userpassword. Please don't post unless you've read it all, you degrade the community that way.

Author Comment

ID: 12311614
Instead of trying giving my clients the source code, I decided to use an include().

The code is executed locally in a remote include so my source can never be leaked.

The only down side is that your website might go down and that means all websites using your program will too.

Accepted Solution

ee_ai_construct earned 0 total points
ID: 12340963
Question answered by asker or dialog valuable.
Closed, 130 points refunded.
ee_ai_construct (replacement part #xm34)
Community Support Admin

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
This article discusses four methods for overlaying images in a container on a web page
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question