Salting password php

In his articles here Ray says that:

"If the salting string(s) and algorithm were compromised, your client's passwords are potentially exposed.  Maybe you want to put this into a PHP script that is stored above the WWW root and brought into the scope of the web root scripts via the include() function."

Let's say I  have a password page where the user creates her psw. If I put the salting script above the root but call in the page how do I avoid it to be exposed? Since it is called from a page (password.php) which is already at the www , salting.php  should also be assumed to be exposed. Am I wrong? Ray can you clarify this "storing above www root" thing?
Thank you.




//here the php code

<form method="post">
<br/>FORMER PASSWORD: <input name="old" type="password" />
<br/>CHOOSE PASSWORD: <input name="pwd" type="password" />
<br/>VERIFY PASSWORD: <input name="vwd" type="password" />
<br/><input type="submit" value="CHANGE" />
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ray PaseurCommented:
This line looks exactly right to me...


...inside that salting.php script you would have something like this:

$salt = '90vdfnlsf0wm 0w4*^&*(()Cohn##_)';
$pepper = 'NOU(*YBI@@<MKJHGDSCIU';

And this would happen in the action script after the client had posted the chosen and verify passwords, and the action script had checked for a match.

$coded_password = md5($salt . $pwd . $pepper);

Then you would store $coded_password in the data base.  When the client wants to login, you take their typed password, add the salt and pepper the same way, and make the SELECT query using the md5() string.
putting it 'above' the root directory means out side the area where pages can be pulled from.

So imaging your web sites are located in

then the web server (assuming it is setup correctly) can only pull things from inside that directory or lower down

so /index.php      is really /var/server/www/index.php
/pages/nextone.php      is really /var/server/www/pages/nextone.php      etc

You pull a page into the code - using the example above "../salting.php" - would be /var/server/salting.php
The web server should be set so it cannot display '.php' pages and that it will not display any file that is further up as this one would be.
myyisAuthor Commented:
I still did not get the idea of using include().

Alternatively I can put all the salting code into the password.php. Since php codes are executed in the server, it is impossible for anybody to see the variable $salt, right? If so why  do I have to use include()?
Ray PaseurCommented: is impossible for anybody to see the variable $salt, right?
Some possible scenarios you may want to consider:

1. A disgruntled employee steals the web scripts
2. A clumsy employee loses a laptop
3. PHP goes away and the server, unable to parse PHP, prints out the script code

These are all unlikely, but any of them could be troublesome.  Security is about making a balance between what keeps you safe and what doesn't suck too much.

There is another value to the idea of include().  Personally, I go for require_once(), but the concepts are the same.  There is an "environment" that I want for every one of my web pages.  I want certain classes and constants.  I want the data base to be connected.  I want to set cookies, including the PHP session cookie.  So I just put all of this stuff into the common.php script and call it at the top of every web page.  A typical script for one of my web pages might look like this:


Open in new window


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
myyisAuthor Commented:
Great, thanks.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.