Hello and welcome to our community! Is this your first visit?
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Regular Coder Common's Avatar
    Join Date
    Jan 2009
    Glasgow, UK
    Thanked 13 Times in 13 Posts

    Security Implications of Hard-Coding Password?


    This is just out of curiosity, something I've always wondered. Whenever I'm making a login system, I have a users MySQL table with an encrypted password which is checked when the user tries to login.

    Provided it's not necessary to offer automatic registrations, as that would be a pain without SQL, would it be MORE or LESS secure to actually just hardcode the username and password into your executing PHP file (example below)? As far as I know there's no way to access the unprocessed source code bar hacking into the server, but if that happens they can do what they like with your database etc anyway.

    if($_POST[username]=="john" && $_POST[password]=="letmein"){
    echo "You are now logged in.";
    It seems instinctive that this would be insecure, but what I want to know is why?

    Many thanks!

  2. #2
    Master Coder
    Join Date
    Feb 2011
    Your Monitor
    Thanked 615 Times in 601 Posts
    If the php interpreter fails for any reason, your file isn't executed but is instead just served straight to the client.

    Most of us use database connection details in that way (usually in another file preferably in a directory thats not publicy accessible) but using actual script login details hard coded isn't a great idea.
    Quote Originally Posted by deathshadow View Post
    So seriously, loosen up that tie, let out the belt, and try relating to normal people on the street instead of the gentleman's club crowd.

  3. #3
    Regular Coder Arcticwarrio's Avatar
    Join Date
    May 2012
    Thanked 100 Times in 100 Posts
    only people who can access your files can see that,

    if you want to protect it from anybody you'd need basic hash or similar

    this is the same as the code you posted

    PHP Code:
    if($_POST[username]=="john" && md5($_POST[password])=="0d107d09f5bbe40cade3de5c71e9e9b7"){
    "You are now logged in.";

    There are 10 types of people on CodingForums,
    Those who understand Binary and those who dont.
    Get Cloud Hosting now from only£59 / month

  4. #4
    Super Moderator
    Join Date
    May 2002
    Perth Australia
    Thanked 110 Times in 108 Posts
    if the file with that information is above your web-root then it's as you note, no more or less secure then a config file with your mysql user and password in it.

    If you only have one user or so and dont want to use a datbase you could also use HTTP authentication with .htaccess .htpasswd etc.
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  5. #5
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Sydney, Australia
    Thanked 932 Times in 919 Posts
    If the passwords in the database are hashed then even with access to the server the person can't see what the passwords are. They may be able to work out A password that hashes to the given value but if the hash also uses a salt then even if they do work out a value that works as the password they will not be able to use that same password to break into other sites where the person has stupidly used the same password.

    If instead you store the password in plain text in the database then anyone who gains access to the server can try out the username/password combinations on other sites so as to break into any accounts that people have that use the same password.
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts