-5

I'm working on a social network using PHP and XML, but I don't know how to secure my xml files that have passwords and stuff. I've heard stuff about hash and salt, but I don't know anything about that. Or, should I abandon using xml and just use MySql?

Tim Post
  • 33,371
  • 15
  • 110
  • 174
NinJoel
  • 29
  • 8
  • 2
    Have you tried to google "hash and salt"? There is plenty of reading there – zerkms Sep 07 '12 at 02:31
  • Yes! Stop using XML to store passwords. – Anirudh Ramanathan Sep 07 '12 at 02:31
  • 1
    @DarkXphenomenon: anything wrong with xml as a storage? – zerkms Sep 07 '12 at 02:31
  • For passwords, you will be accessing few records of hashes from a large set, to compare. Using a DB makes sense, as most of the access will be random. – Anirudh Ramanathan Sep 07 '12 at 02:33
  • 1
    @DarkXphenomenon: it depends. You said it like there is something wrong in using xml to store particularly passwords – zerkms Sep 07 '12 at 02:34
  • I would adjust your title you do not want to 'password protect' the xml files themselves but actually store a password in a safe way inside an xml file (or DB or whatever) – Adrian Cornish Sep 07 '12 at 02:34
  • Using xml would be storing passwords in a medium not designed to do so. You could then prevent access to xml via .htaccess rules, etc. But MySQL is **definitely** loads better. – Anirudh Ramanathan Sep 07 '12 at 02:40
  • 1
    @DarkXphenomenon MySQL is not the be all and end all ;-) there are other DB's/forms of storing passwords, Unix'es still use a text file which works pretty well, or how about a PAM call to validate against a valid unix user - possibilities are endless – Adrian Cornish Sep 07 '12 at 02:47
  • @AdrianCornish But this is a social network, and the user has the option! – Anirudh Ramanathan Sep 07 '12 at 02:54
  • @DarkXphenomenon What about MariaDB, postgres, YP (aka yellow pages) there. My point is there is more than mysql, you are limiting the OP's options – Adrian Cornish Sep 07 '12 at 02:58
  • Oh. I actually meant databases. The OP specified MySQL in his post, which is why I said that :) – Anirudh Ramanathan Sep 07 '12 at 03:07
  • The OP does not realize that his question is how to secure passwords in a storage medium – Adrian Cornish Sep 07 '12 at 03:12
  • At first glance, it looked like you were asking how to password protect an XML file like someone would protect an excel sheet. In fact, you're asking how to protect certain elements within one, I've edited for clarity. – Tim Post Sep 08 '12 at 08:14

2 Answers2

1

I personally would get away from storing passwords in XML files, however if you can't for whatever reason, to better secure from public users, I would store them outside the web root so you can't directly go to them. Your scripts should be able to access the home directory at the very least.

I would also make sure your passwords are stored using some kind of encryption, so that if someone did access the file, they can't just read the passwords.

fanfavorite
  • 5,128
  • 1
  • 31
  • 58
  • 1
    Plain-text passwords stored in files, any sort of files, which includes MySQL databases, is probably a very bad idea. You will want to encrypt them somehow no matter how they're stored, like you say. – tadman Sep 07 '12 at 03:17
  • Please learn the difference between Encryption and Hashing. You want **hashed** passwords, not **encrypted** ones. – Madara's Ghost Oct 06 '12 at 15:31
1

If you're talking about storing your user's credentials to access your site, then you'll want to aggressively hash those passwords using bcrypt to be sure they can't be cracked easily in the event of a breach.

If you're talking about storing passwords used to access third-party services, where you need to be able to use these, then you'll want to encrypt them using a reversible method like Blowfish and some kind of private key.

Under no circumstances should you be storing passwords in XML files. These are trivially easy to get and may even be inadvertently exposed through your web server and made available for anyone to download simply by accessing a particular URL.

MySQL is a very forgiving database to get started with, so it's a good choice, plus it scales very well if you need to do that. I'd look in to using mysqli or PDO for a new application, and there are many examples of how to use SQL properly with placeholders.

If you're building a full application, you probably want to look at using a framework like CakePHP or CodeIgnighter to give you a foundation to build on. These provide a lot of the low-level application support you'll need to build something like what you're talking about, saving you a lot of time during development.

Community
  • 1
  • 1
tadman
  • 208,517
  • 23
  • 234
  • 262
  • I agree, except it might be better to say 'under no circumstances should you be storing _unencrypted_ passwords in XML files'. Unencrypted passwords are vulnerable no matter where you put them. – Tim Post Sep 08 '12 at 08:16
  • In a more general sense, yeah. For a web application, though, storing any sort of sensitive data in XML files is a very bad idea. At least with a database an attacker would have to find a way to connect to it and extract the contents. Grabbing files is too easy. – tadman Sep 09 '12 at 02:11
  • 1
    Alright, thanks. I decieded to go for mysqli instead of XML. – NinJoel Oct 06 '12 at 19:27