Password security help

[crmamx]

Well, I can now add/change/delete data in my db. But then I find I have no security at all. I know that IE/View/Source will display the code, but I did not know that right click on a frame would display that particular frameset code.

 

Can you point me to a simple php security script. I have looked at many of them  and they are pretty complicated. No need for me to reinvent the wheel and not sure I could do it anyway. I have many other programs I can be working on. I don't need anything extreme as the data is only phone nos. and email addresses. It is just that the site members don't want others to be able to view it.

 

What if I created a db password table, then simply verified that the entered password was in the file. What kind of security would I have?

 

Thanks

[Psycho]

I'm not following you. You seem to imply that the "secured" data is being displayed using View<Source. View<Source will display anything that is sent to the browser. If you need that data displayed in the web page you can't secure it from the user. If you don't need it displayed to the user - don't send it in the page. If you do need it sent to the user you can "secure" it in transmission (i.e. protect from someone trying to harvest the data between the server and the user) by using https.

 

Now, if you are trying to secure it from users who may be unauthorized then, yes, you would want to use some sort of passcode system. You *could* store the data in a flat file, but a database is preferred. Either way, a malicious user would need to get the password for the FTP server or for the DB server to get that data. What is really important is that you hash the password so even if the data is compromised someone cannot determine what any particular user's password is.

 

Many people seem to think that the password hashing has something to do with the security of the site. It does not. If a malicious user has access to the hashed password they likely have access to all of the data anyway. The hashing is to protect the integrity of the password. Since many users use the same password on different sites, having it exposed in one site could jeopardize any other sites they use. That is why you should always use different passwords on different sites.

 

ANyway, there are plenty of tutorials on how to hash a pasword and create a login system, so a forum post is not the proper medium to try and explain how to do that.