Salting password php

In his articles here Ray says that:

"If the salting string(s) and algorithm were compromised, your client's passwords are potentially exposed.  Maybe you want to put this into a PHP script that is stored above the WWW root and brought into the scope of the web root scripts via the include() function."

Let's say I  have a password page where the user creates her psw. If I put the salting script above the root but call in the page how do I avoid it to be exposed? Since it is called from a page (password.php) which is already at the www , salting.php  should also be assumed to be exposed. Am I wrong? Ray can you clarify this "storing above www root" thing?
Thank you.




//here the php code

<form method="post">
<br/>FORMER PASSWORD: <input name="old" type="password" />
<br/>CHOOSE PASSWORD: <input name="pwd" type="password" />
<br/>VERIFY PASSWORD: <input name="vwd" type="password" />
<br/><input type="submit" value="CHANGE" />
Who is Participating?
Ray PaseurConnect With a Mentor Commented: is impossible for anybody to see the variable $salt, right?
Some possible scenarios you may want to consider:

1. A disgruntled employee steals the web scripts
2. A clumsy employee loses a laptop
3. PHP goes away and the server, unable to parse PHP, prints out the script code

These are all unlikely, but any of them could be troublesome.  Security is about making a balance between what keeps you safe and what doesn't suck too much.

There is another value to the idea of include().  Personally, I go for require_once(), but the concepts are the same.  There is an "environment" that I want for every one of my web pages.  I want certain classes and constants.  I want the data base to be connected.  I want to set cookies, including the PHP session cookie.  So I just put all of this stuff into the common.php script and call it at the top of every web page.  A typical script for one of my web pages might look like this:


Open in new window

Ray PaseurCommented:
This line looks exactly right to me...


...inside that salting.php script you would have something like this:

$salt = '90vdfnlsf0wm 0w4*^&*(()Cohn##_)';
$pepper = 'NOU(*YBI@@<MKJHGDSCIU';

And this would happen in the action script after the client had posted the chosen and verify passwords, and the action script had checked for a match.

$coded_password = md5($salt . $pwd . $pepper);

Then you would store $coded_password in the data base.  When the client wants to login, you take their typed password, add the salt and pepper the same way, and make the SELECT query using the md5() string.
edster9999Connect With a Mentor Commented:
putting it 'above' the root directory means out side the area where pages can be pulled from.

So imaging your web sites are located in

then the web server (assuming it is setup correctly) can only pull things from inside that directory or lower down

so /index.php      is really /var/server/www/index.php
/pages/nextone.php      is really /var/server/www/pages/nextone.php      etc

You pull a page into the code - using the example above "../salting.php" - would be /var/server/salting.php
The web server should be set so it cannot display '.php' pages and that it will not display any file that is further up as this one would be.
myyisAuthor Commented:
I still did not get the idea of using include().

Alternatively I can put all the salting code into the password.php. Since php codes are executed in the server, it is impossible for anybody to see the variable $salt, right? If so why  do I have to use include()?
myyisAuthor Commented:
Great, thanks.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.