2

I'm making a website in which I'm trying to create a form that will send the user-input to a google spreadsheet in my google docs/drive... I found a Github project that lets people code the php... It includes 2 other php files which are needed for the script. The code is as follows:

My question is, how can I hide my password from this script under $u = / $p = ?? Anyone viewing the code can see my password.. how can I prevent that?

Link to the script's source is : http://www.farinspace.com/saving-form-data-to-google-spreadsheets/

<?php

// Zend library include path
set_include_path(get_include_path() . PATH_SEPARATOR . "$_SERVER[DOCUMENT_ROOT]/ZendGdata-1.8.1/library");

include_once("Google_Spreadsheet.php");

$u = "username@gmail.com";
$p = "password";

$ss = new Google_Spreadsheet($u,$p);
$ss->useSpreadsheet("My Spreadsheet");
$ss->useWorksheet("wks2");

// important:
// adding a leading alpha char prevents errors, there are issues 
// when trying to lookup an identifier in a column where the 
// value starts with both alpha and numeric characters, using a
// leading alpha character causes the column and its values to be 
// seen as a strictly a strings/text

$id = "z" . md5(microtime(true));

$row = array
(
    "id" => $id // used for later lookups
    , "name" => "John Doe"
    , "email" => "john@example.com"
    , "comments" => "Hello world"
);

if ($ss->addRow($row)) echo "Form data successfully stored";
else echo "Error, unable to store data";

$row = array
(
    "name" => "John Q Doe"
);

if ($ss->updateRow($row,"id=".$id)) echo "Form data successfully updated";
else echo "Error, unable to update spreadsheet data";

?>
mk117
  • 753
  • 2
  • 13
  • 26
  • There needs to be a user with access to your file. Therefore, your password will be readable. How about not sharing that user with anyone or sharing your server with anyone? – BLaZuRE Jun 10 '13 at 09:31
  • 1
    **Why/how** would/could anyone read the code? If it's supposed to be safe, don't put passwords in codes - it's that simple. – h2ooooooo Jun 10 '13 at 10:14
  • @BLaZuRE: What do you mean by access to user? The spreadsheet will be saved to 'my' google docs account, so shouldn't the account password be my own account password? Or can I create a dummy user on google docs too? Like identities on yahoo mail? – mk117 Jun 10 '13 at 10:27

3 Answers3

2

You can attempt to hide if from peering eyes using the code below. It would still be discoverable if you tried, but at least it's away from open text view. All it does is add characters to the text and then subtract them before it uses the password.

Run this script using your original password

<?php
$password = "test";

echo "Original Password In Plain Text = $password\n";
$len=strlen($password);

$NewPassword = "";
for( $i = 0; $i <= $len-1; $i++ ) {
$charcode = ord(substr( $password, $i, 1 ));
$NewChar = $charcode+5; $NewLetter = chr($NewChar);
$NewPassword = $NewPassword . $NewLetter;
} echo "Modified Password to Use in Script = $NewPassword\n";

$OrigPassword = "";
for( $i = 0; $i <= $len-1; $i++ ) {
$charcode = ord(substr( $NewPassword, $i, 1 ));
$OrigChar = $charcode-5; $OrigLetter = chr($OrigChar);
$OrigPassword = $OrigPassword . $OrigLetter;
} echo "Convert the Modified back to the Original = $OrigPassword\n";

?>

Add this part to your script with the new password from the above script

$password = "yjxy";
$OrigPassword = "";
for( $i = 0; $i <= $len-1; $i++ ) {
$charcode = ord(substr( $password, $i, 1 ));
$OrigChar = $charcode-5; $OrigLetter = chr($OrigChar);
$OrigPassword = $OrigPassword . $OrigLetter;
} $password = $OrigPassword;
echo "Script thinks this is the password = $password\n";
Larry Vennard
  • 36
  • 2
  • Thanks! Is there any PHP function that can encode the password string to md5 or sha too? I read somewhere online that PHP support decrypting strings to these two formats.... – mk117 Dec 09 '14 at 19:34
  • 1
    It looks like they did that here [link](http://stackoverflow.com/questions/15194663/encrypt-and-decrypt-md5) but it wouldnt work for me, my php5-mcrypt didnt like me for some reason. they give tips on fixing it here [link](http://stackoverflow.com/questions/2604435/fatal-error-call-to-undefined-function-mcrypt-encrypt) That worked, then i ran the md5 script and it worked great! – Larry Vennard Dec 10 '14 at 19:24
  • Well, I found a website online that converts string to md5 and back to string too! Here's the [link](http://www.md5hashgenerator.com/) – mk117 Dec 11 '14 at 03:48
1

The best way to hide the password is to save it in external file and then include it in your php script. Your file with this password let's say 'config.php' should be above DOCUMENT_ROOT to make it unaccesible via browser. It's common aproach and for example you can see it in Zend Framework directory structure where only "public" directory is visible for user. The proper CHMOD should be set to this file as well.

Under this link you have ZF directory structure where you can check location of config files.

Robert
  • 19,800
  • 5
  • 55
  • 85
  • so should I include it via: 'include("config.php");' command? If so, what could be the code for the 'config.php' file?? – mk117 Jun 10 '13 at 10:21
  • just When someone wants to access it from web it will be invisible to him. As I wrote the best solution is move this file above document root. – Robert Jun 10 '13 at 10:33
  • Ok! Thanks! I understood now.. also, by document root, you mean JUST AFTER ' – mk117 Jun 10 '13 at 11:05
  • Check the directory strucutre I've given u. Let's say your aplication is shown under `/user/` your page is shown under `/user/public/index.php` htaccess gives access to public/ and binds domain for this directory but configs are in `/user/config/config.php` so user can't access then via browser but your scripts can – Robert Jun 10 '13 at 11:14
  • ok. Thanks! that makes some sense, but I'll have to check that page link with ZF directory... – mk117 Jun 10 '13 at 11:26
  • Hi! Could you provide a simple code on how to use the php above in an html form? How to code the html for it? – mk117 Jun 11 '13 at 09:28
  • what do you mean? I don't understand – Robert Jun 11 '13 at 10:06
  • I mean, how to get the input on html page to use the php script for posting to the google spreadsheet? http://www.farinspace.com/saving-form-data-to-google-spreadsheets/ this page just shows the php script, there's no demo on how to implement the code? It's supposed to be a helper class... and I don't know what helper classes are for or how to use them? .......................... Nevermind.. I found a tutorial via google: http://itinsider.tumblr.com/post/43775704791/using-a-google-drive-spreadsheet-as-the-back-end-for-a .... thanks anyways!! :D – mk117 Jun 11 '13 at 10:17
0

This question has been asked and answered lots of times here (but not specifically for Google docs). Short answer is that there is nothing you can do.

Longer answer is that you can mitigate the possibility of the credentials being compromised by:

  • using credentials supplied the user rather than stored in code
  • using tokens supplied by the user as a means of decrypting credentials stored in your code (but this gets very complicated with lots of users)
  • storing the credentials in an include file held outside the document root
symcbean
  • 47,736
  • 6
  • 59
  • 94