Using the PHP Crypt Function - A Few Words About Storage and Security

(Page 4 of 4 )

If you use a flat file for your password storage, make sure to put it outside your Web root. Proper permissions can be set on this file to allow your scripts to access it. As a default on UNIX systems PHP and the Web server run under the user "nobody." Using a flat file is fine for a small number of passwords, but if you have a lot of them a database is a better choice. You could also split your password storage: website usernames and passwords in a database and database access passwords in a flat file.

You also have the option of using the htaccess and htpasswd file if you are using the Apache Web server. Make sure to consult any documentation for your server for more information. Another good general net security resource is available at http://www.net-security.org/. Always keep up with the latest security updates and bulletins for any software you use on your site and apply the available patches promptly.

There are other encryption functions or add ons for PHP as well. Such as md5() or a two way PHP extension called Mcrypt. A good source for information about these or other PHP functions and features is in the PHP manual. You can access the PHP manual on line at http://us2.php.net/manual/en/index.php or through the PHP Freaks web site http://www.phpfreaks.com/.

Conclusion

Using crypt we have made password validation secure and easy. There was no need to ever expose the real password and the logged in user is now on their way to doing some work. Always consider all security measures available when you have important information to protect.

DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.

Comments On: Using the PHP Crypt Function

· However, md5() in not encryption, its hashing; just though I would point that...    · Yes actually you are correct. Not a lot of people know the difference but it is an...    · Using a non standard hashing (or crypto) function is a good way to get in troubles...    · Actually Crypt is entirely based on standards. It uses standard ciphers available...    · First thing that came to my mind is implementing this function with passwords. Since...    · The way I would manage this is for a non encrypted version to be stored in a...    · can you explain hashing? new to this, and thought md5 was encrypting the password? ...    · Can anyone tell the difference between hashing and crypting?and which one is...    · The best explanation I have seen for the difference is...    · This is the way it SHOULD be. When a user loses his password, he gets sent a new...    · With appreciation to the author, there are serious weaknesses here. 1) Crypt()...    · Has nobody spotted the obvious flaw here? You are still sending the password in...   >>> Post your comment now!