When using login functionalty i in a webpage, what is the best practice for validating the inputed data?
I'm not talking about a big scale of users but just a single admin role. The webpage is not using any databases and therefore I don't want to include the funtionallity for just one account.
At the moment I just use an If-statement with the inputed data and a hardcoded password and this somehow feels unsafe but at the same time the users can't see the php-code as long as they don't get to the server, or am I wrong?
if($password == 'myPassword123')
By the way, is there any way of downloading the actual .php file from the server (from a user perspective).
Hash the password! never store in plaintext.
And to stop a misconfiguration from revealing your password store the password outside of web root so if PHP was to reveal your code, then the client/attacker could not access the actual hash/file. Here is a simple example using the crypt() function inside a simple user function to check pass.
<?php
function check_pass($password){
$chkpass = file_get_contents(dirname(__FILE__).'/../path_outside/webroot/adminpass.txt');
if(crypt($password, $chkpass) == $chkpass){
return true;
}else{
return false;
}
}
/* The file adminpass.txt contains the hash
$1$MH0.l.1.$aNx9btlqPfGpkAxK4Bdym.
which is mypassword in plaintext */
if (check_pass($_POST['password'])) {
echo "ok!";
}else{
echo "fail!";
}
?>