Help

Question

Grantmitch1 0 Junior Poster in Training

16 Years Ago

Until I figure out how to create passwords in a MySQL Database Im relying on HTML scripts to work.

This does work, everything is good, except if I put it on the web people can discover the code by viewing the source.

Now my question is, is there someway I can store the HTML scripts for passwords in a different page and they access it threw a different page.

Eg, when using email forms you use the script.

Is it possible to do something like that but with the scripts.

So the page refers to it.

<Action="passwords.htm">

If anyone can help that would be most helpful.

Thank you

Grant

2 Contributors
4 Replies
95 Views
1 Day Discussion Span
Latest Post 16 Years Ago Latest Post by Grantmitch1

Fest3er 39 Posting Whiz in Training

16 Years Ago

Until I figure out how to create passwords in a MySQL Database Im relying on HTML scripts to work.
This does work, everything is good, except if I put it on the web people can discover the code by viewing the source.
Now my question is, is there someway I can store the HTML scripts for passwords in a different page and they access it threw a different page.

Eg, when using email forms you use the script.
<form method="POST" action="email.php">
Is it possible to do something like that but with the scripts.
So the page refers to it.
<Action="passwords.htm">
If anyone can help that would be most helpful.
Thank you
Grant

I'm not sure just what you are asking.

Creating users in MySQL is done via GRANT:
GRANT ALL on db.* to thisuser@localhost IDENTIFIED BY "password";
But then, you might not be talking about MySQL passwords; rather you might be referencing web site users and passwords, which are quite different.

I *think* you are wanting to prevent the public from seeing the passwords you have stored in the website. Basically, if you are using PHP, the usernames and passwords should always remain in the PHP realm and never appear in HTML. The PHP source should never be visible to users of the web site; it's always executed and the resulting HTML is sent to the user's browser.

Now, if you are doing stuff with user's IDs and passwords, then it's more difficult. You may have to use cookies to store the password persistently on the user's system. Or you may have to learn JavaScript (ECMAScript) and AJAX and have the browser dynamically fetch the password from the server and load it into the page; this way the password does not appear in the HTML sent to the browser.

If you are talking about having, for example, a plain-text file containing usernames and passwords, you should store that file outside the HTML tree where only PHP can access it.

A more cogent description of your situation and goals is in order....

N

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Grantmitch1 0 Junior Poster in Training · Answer 1 · 2008-01-02T20:23:04+00:00

Im not entirely sure what you just wrote... lol

Basically I cant create databases yet cus I dont know how to.

I know how to create user logins in html, but when the user goes onto the "view source" they can see the passwords etc.

Is there a way of preventing this.

By storing the html in a different file, and then when the user goes to logs in it refers to that file.

Fest3er 39 Posting Whiz in Training · Answer 2 · 2008-01-03T01:57:25+00:00

Ah. This is a well-known problem that can be worked around fairly easily to achieve reasonable security.

Post an example of what you are doing and how you are doing it. (Not the actual code, but similar, stripped-down code that illustrates your mechanism.)

There are a couple ways to do this. One is to use .htaccess (access requirements) and .htpasswd (usernames and passwords) files to control access to pages. The program I usually use to manage access is PHPAccess. I put .htpasswd outside the html tree, and I define groups in each .htaccess file to control access to certain directories. The PHPAccess script itself manages users and groups; you should need only one copy in an admin area of the web site.

Another way to keep usernames and passwords hidden is to use forms and PHP. In the form, the user enters her ID and password (and the other form data), which are sent to the server. The PHP code on the server authenticates the ID/passwd pair. If it succeeds, the program continues. If it fails, the program pauses for, say, five seconds, then returns an error page. The trivial way to make this work is to propagate the ID/passwd to all subsequent forms sent to the browser. A non-trivial way is to use a database to store the ID/passwd, the source IP address, a lifetime timeout, and a unique token. The token can be generated as an sha224sum or md5sum of "usernamepassword" (or some interleaving of the two). The token would then be returned to the user as a cookie (session or more permanent). This method would also require that the database be scrubbed periodically of expired tokens (likely with a PHP script run from cron).

A more dynamic way would be to learn JavaScript and AJAX. When the password field loses focus, a JavaScript function is called to verify data entry and authenticate the ID/password. (It would send a request to the server containing the ID and password and await a true or false response; the server might even be able to set a cookie containing the aforementioned token.)

I don't think you can secure usernames and passwords using pure HTML. Server-side programming is pretty much a necessity in this case.

Grantmitch1 0 Junior Poster in Training · Answer 3 · 2008-01-03T02:33:34+00:00

Well I have several books on Javascript and AJAX that I am starting to read so hopefully that will work.
Thanks for your help

I did see programs for it, but it cost $230. so...