1

I need to save a third-party application password in my PHP application for connect to a API in a background process. I need store the password in a DB, and the password is for each user of the application. But I don´t know what is the correct way to save it for retrieve it after.

I don´t want to save the password without encryption, but I don´t know which is the best method (and easy) to do this

Any idea?

Sangar82
  • 5,070
  • 1
  • 35
  • 52

1 Answers1

2

Unless there's some sort of OAuth mechanism available for the API you might as well store it in plain text. Once an attacker has access to the encrypted form of the password then they more than likely have access to the code that decrypts it.

My preferred method is:

inc.credentials.php

<?php
$app_creds = array(
  'username' => 'sammitch',
  'password' => 'isgreat'
);

actual_code.php

<?php
require('inc.credentials.php');
app_login($app_creds['username'], $app_creds['password']);
unset($app_creds);
  1. Always uses a file extension that's run through the PHP interpreter so that the file will not be served as plain text.
  2. Always leave off the closing ?> so nothing is accidentally output. [most likely whitespace]
  3. unset() is mostly paranoia, but just in case of code injection.
Sammitch
  • 30,782
  • 7
  • 50
  • 77
  • I need store the password in a DB, and the password is for each user of the application, not only for admin purposes. How would you do it? But is a great method! – Sangar82 Feb 21 '13 at 21:39
  • @Sangar82 my point still stands about plaintext, but this is less of a good idea because now instead of simply having the potential to lose *your* password, you have a database of all your users' passwords. The only *good* answer would be to use OAuth tokens or something like it, but if the API does not support it then there's not much you can do. You can certainly [encrypt the passwords](http://stackoverflow.com/a/6639179/1064767) to reduce the likelihood that a small SQL injection would expose the passwords, but should someone get into the source of the page it is all laid bare. – Sammitch Feb 21 '13 at 21:53