myyis
asked on
Salting password php
In his articles here Ray says that:
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
"If the salting string(s) and algorithm were compromised, your client's passwords are potentially exposed. Maybe you want to put this into a PHP script that is stored above the WWW root and brought into the scope of the web root scripts via the include() function."
Let's say I have a password page where the user creates her psw. If I put the salting script above the root but call in the page how do I avoid it to be exposed? Since it is called from a page (password.php) which is already at the www , salting.php should also be assumed to be exposed. Am I wrong? Ray can you clarify this "storing above www root" thing?
Thank you.
password.php
<?php
include_once("../salting.p hp");
//here the php code
?>
<form method="post">
CHANGE YOUR PASSWORD
<br/>FORMER PASSWORD: <input name="old" type="password" />
<br/>CHOOSE PASSWORD: <input name="pwd" type="password" />
<br/>VERIFY PASSWORD: <input name="vwd" type="password" />
<br/><input type="submit" value="CHANGE" />
</form>
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
"If the salting string(s) and algorithm were compromised, your client's passwords are potentially exposed. Maybe you want to put this into a PHP script that is stored above the WWW root and brought into the scope of the web root scripts via the include() function."
Let's say I have a password page where the user creates her psw. If I put the salting script above the root but call in the page how do I avoid it to be exposed? Since it is called from a page (password.php) which is already at the www , salting.php should also be assumed to be exposed. Am I wrong? Ray can you clarify this "storing above www root" thing?
Thank you.
password.php
<?php
include_once("../salting.p
//here the php code
?>
<form method="post">
CHANGE YOUR PASSWORD
<br/>FORMER PASSWORD: <input name="old" type="password" />
<br/>CHOOSE PASSWORD: <input name="pwd" type="password" />
<br/>VERIFY PASSWORD: <input name="vwd" type="password" />
<br/><input type="submit" value="CHANGE" />
</form>
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I still did not get the idea of using include().
Alternatively I can put all the salting code into the password.php. Since php codes are executed in the server, it is impossible for anybody to see the variable $salt, right? If so why do I have to use include()?
Alternatively I can put all the salting code into the password.php. Since php codes are executed in the server, it is impossible for anybody to see the variable $salt, right? If so why do I have to use include()?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Great, thanks.
include_once("../salting.p
...inside that salting.php script you would have something like this:
$salt = '90vdfnlsf0wm 0w4*^&*(()Cohn##_)';
$pepper = 'NOU(*YBI@@<MKJHGDSCIU';
And this would happen in the action script after the client had posted the chosen and verify passwords, and the action script had checked for a match.
$coded_password = md5($salt . $pwd . $pepper);
Then you would store $coded_password in the data base. When the client wants to login, you take their typed password, add the salt and pepper the same way, and make the SELECT query using the md5() string.