?custom admin script - server folders and files questions?

**LazyJim** · 10-28-2003, 11:35 AM

OK a client want's a way to log in and edit their site.
I can do some PHP file manipulation, but I want to know about the security of the stored passwords and the ones being transmitted.

If I had a PHP script that takes the password (for the first time) encrypts it, then stores it in a file.

Then I have the logon script that takes the password and encrypts it, then compares it to the stored encrypted password.
[1]Would the correct password match?

[2]Where on the server can I store the password file so that no-one can access the (encripted) stored password?

[3]How should the files containing the content that will be altered by the admins by chmod'd?

WickedSkySoftware · 10-28-2003, 01:00 PM

not sure if this is the best way but you can use the md5 function to encrypt passwords.

Here is some more info:
http://us2.php.net/manual/en/function.md5.php

**LazyJim** · 10-28-2003, 01:12 PM

thanks, md5 was part of the plan anyway, the issue is with the files on the server and how they could be acessed/altered.

Cheers for the link, taking a look at it now.

lslars31 · 10-29-2003, 06:29 PM

can't you just use the .htaccess or .htpassword files?

niceguyeddie · 10-29-2003, 06:53 PM

md5 just saves the hash, and then you compare the hash of the entered password against the hash that is saved. you can't really unencrypt something that has been stored against the md5 function.

hughitt1 · 10-29-2003, 07:26 PM

I would normaly use a database to store the password, but if you have none available what your trying should be fine.

1) Make a file to store the info and put it in a protected folder (can use htaccess to protect folders with apache, but not sure exactly how to write file. should be simple. )

* One other thing you could do if you want a little extra security is make the file you are going to store the passwords in a .php file, then save the user/pws inside of php comments. that way if by any way someone did load the page over the net, the php parser would take out the comments and they would just see a blank page. I have not done this for password storage but i do use it for include files

2) Save the pw as md5

3) compare md5() version of the pass the user enters against the md5 version stored in the file.

this should work fine. I don't have too much experience with storing and retrieving from files as i use mostly mysql, but i can't imagine you would have any probelms doing this.

Keith

**LazyJim** · 10-30-2003, 02:23 AM

OK cheers, so the passwords should be safe.

now if I write a script to update content of the site, and the content is stored in plain-text/html/xml files, then I must have to give the files write access, is there a safe way to do this?

niceguyeddie · 10-30-2003, 04:04 AM

put the files below the web root.

**LazyJim** · 10-30-2003, 04:20 AM

It's a cheap host, not my own server, can I still do that?

Jazzee · 10-30-2003, 05:39 AM

You should still be able to.

**LazyJim** · 10-30-2003, 06:59 AM

OK, how?

**LazyJim** · 10-30-2003, 07:01 AM

Or maybe as someone mentioned I could make a new folder and use .htaccess to block it from the web.
And then, I hope, it can be accessed only from my .php scripts outside that folder?

niceguyeddie · 10-30-2003, 07:10 AM

Quote:

Originally Posted by LazyJim

OK, how?

ssh in,

mkdir passwords
chmod 777 passwords

if you don't have ssh the same can be done via ftp. Then just use the absolute paths to write to the directory.

Cheap webhosts are still just using *nix more than likely, so the same rules apply here as they would when paying more $ a month with your own *nix box.

niceguyeddie · 10-30-2003, 07:12 AM

Quote:

Originally Posted by LazyJim

Or maybe as someone mentioned I could make a new folder and use .htaccess to block it from the web.
And then, I hope, it can be accessed only from my .php scripts outside that folder?

still would need some way of administering the passwords, unless you just plan on giving one out.

A DB would be a better way to go, along with using sessions, etc, but it depends on how much control you need.

**LazyJim** · 10-30-2003, 07:22 AM

cant I still use a php script to set the passwords in a file that's in a protectd folder?

niceguyeddie · 10-30-2003, 07:30 AM

Yes, but once again, it would be the same methods. Put it below the root, etc.

**LazyJim** · 10-30-2003, 07:59 AM

ok it's the "below the root" bit I don't undersdand.

Quote:

Originally Posted by niceguyeddie

Quote:

Originally Posted by LazyJim

OK, how?

ssh in,

mkdir passwords
chmod 777 passwords

if you don't have ssh the same can be done via ftp. Then just use the absolute paths to write to the directory.

Cheap webhosts are still just using *nix more than likely, so the same rules apply here as they would when paying more $ a month with your own *nix box.

If I make a directory, and set it to rwxrwxrwx how does that make it secure?

Sorry I'm not a serv-side sort of person

niceguyeddie · 10-30-2003, 09:28 AM

IE, you do not want to make it accessible from the web. Whenever you log into either via ssh or ftp, generally you are below the web root. you probably see /public_html, /www, etc. It is best to not have writable directories in these level of folders, but instead better to have them non-accessible to a browser.

So create a directory on the same level as these folders, and then just use the absolute path to call them.

You probably aren't going to break anything throwing the folder into the web root if you take further precautions, but you asked about the safest way to read from a file on the web.

**LazyJim** · 10-30-2003, 09:44 AM

Do i do absolute path by starting with a forward slash?