stackoom
  简体   繁体   中英

Is it safe to store admin login hardcoded into a php script?

 原文  2020-09-18 12:35:26       php/ security

Question

I was thinking something really trivial like:

if ($email == 'mymail@example.com' && pass == '&2r2KdC#i%$$e2r8'){
    //do login
}

Was wondering if this open to possible hacks or exploit, but could not think of any. Since it will be just my login it would not make sense to use a whole database to store only that. I'll use database to store users login. I know it sound stupid to have users with less privileges stored securely in a database and admin login hardcoded, but is it really less secure?

1 answers

solution1
 0  2020-09-18 13:13:07

It is possible for people to get things from a database without permission, via ways like sql injection if data is not sanitized properly. It is also possible for people to get your php source code, via ways such as having access to your server (eg your shell/ftp account), which is quite unlikely assuming that the server is decent enough and you're keeping your credentials for getting into the server safe enough. Do understand that being being a victim of sql injection is a far more likely than people obtaining your php code. (It is also possible that you accidentally did something wrong such as changing the file extension that outputted those lines, the same goes for accidentally writing a wrong query for sql though) There are many more ways things can go wrong of course but here I am just listing out some common problems.

Also, it is worth noting that your database credentials are probably in your php code too, meaning that if they somehow have access to your source code, they most probably can access your database too.

However, I believe the biggest problem is not with where you put the password, it is how you store it. Passwords should not be stored as how they are, instead, they should first be hashed before they're stored, then when you want to check if a password is correct, you hash that password too and check it with the hash you stored. It is very dangerous to simply store unhashed passwords, since if someone somehow has access to them, it poses a huge security threat to your users, some users may use this same passwords for multiple places that someone can have access to all those places (this is very bad you shouldn't do this, but there are people to do this). However, if the passwords are hashed, even if someone somehow has access to all of the hashes, they still won't know the actual passwords.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question PHP - Is Praneeth Madush Advanced-PHP-Login-System script safe? PHP / MySQLi - First Time Writing A Login Script - Working - Safe? Is this PHP login part safe? Is this PHP login function safe? joomla admin login via php post script wrong token Is this PHP script safe? Is this safe? (PHP download script) Problems with a PHP login for Admin Admin and Customer login in Php PHP : Login in to the admin page
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM