Link to home
Start Free TrialLog in
Avatar of myyis
myyis

asked on

Salting password php

In his articles here Ray says that:

https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html


"If the salting string(s) and algorithm were compromised, your client's passwords are potentially exposed.  Maybe you want to put this into a PHP script that is stored above the WWW root and brought into the scope of the web root scripts via the include() function."


Let's say I  have a password page where the user creates her psw. If I put the salting script above the root but call in the page how do I avoid it to be exposed? Since it is called from a page (password.php) which is already at the www , salting.php  should also be assumed to be exposed. Am I wrong? Ray can you clarify this "storing above www root" thing?
Thank you.


password.php

<?php

include_once("../salting.php");      

//here the php code

?>
<form method="post">
CHANGE YOUR PASSWORD
<br/>FORMER PASSWORD: <input name="old" type="password" />
<br/>CHOOSE PASSWORD: <input name="pwd" type="password" />
<br/>VERIFY PASSWORD: <input name="vwd" type="password" />
<br/><input type="submit" value="CHANGE" />
</form>
Avatar of Ray Paseur
Ray Paseur
Flag of United States of America image

This line looks exactly right to me...

include_once("../salting.php");      

...inside that salting.php script you would have something like this:

$salt = '90vdfnlsf0wm 0w4*^&*(()Cohn##_)';
$pepper = 'NOU(*YBI@@<MKJHGDSCIU';

And this would happen in the action script after the client had posted the chosen and verify passwords, and the action script had checked for a match.

$coded_password = md5($salt . $pwd . $pepper);

Then you would store $coded_password in the data base.  When the client wants to login, you take their typed password, add the salt and pepper the same way, and make the SELECT query using the md5() string.
SOLUTION
Avatar of edster9999
edster9999
Flag of Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of myyis
myyis

ASKER

I still did not get the idea of using include().

Alternatively I can put all the salting code into the password.php. Since php codes are executed in the server, it is impossible for anybody to see the variable $salt, right? If so why  do I have to use include()?
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of myyis

ASKER

Great, thanks.