-2

I'm creating an Admin Panel section of a website where there will only be one user. I was thinking of just storing a password in a separate config.php file instead of creating a users table with usersnames and hashed pw's as I typically do for membership areas since it's only one user.

Thoughts on doing this? Has anyone else tried this? Are there some major vulnerabilities I should be aware of?

Example config.php:

$pw = "honeybadgerbubblegum";

Example login.php:

require('config.php');

if(isset($_POST['login']))
{
   $upw = md5($_POST['upw']);
   $pwHashed = md5($pw);
   if($upw === $pwHashed)
   {
   //success
   } 
}
m1xolyd1an
  • 535
  • 5
  • 18
  • Unless you're on an Intranet, don't use MD5 for storing a password hash. – Funk Forty Niner Nov 24 '15 at 03:15
  • because rainbow tables? @Fred-ii- `hash_hmac('sha256', )` instead? – m1xolyd1an Nov 24 '15 at 03:18
  • 1
    exactly. yeah, hash_hmac http://stackoverflow.com/questions/2707967/php-how-can-i-generate-a-hmacsha256-signature-of-a-string would be safer than MD5. Or, using an authentication method such as HTTP authentication http://php.net/manual/en/features.http-auth.php – Funk Forty Niner Nov 24 '15 at 03:20

4 Answers4

1

There are no vulnerabilities if you store the password in a PHP file, however, in that case, when the password is changed, it needs to be overwritten, which means that you need to implement a feature which will regenerate the file if the admin saves a new password.

Also, I do not really understand the problem of having a table to hold a single row for the admin. It is not really an overkill and it is a safe and sound method, which would help you to not have to implement PHP regenerators.

Lajos Arpad
  • 64,414
  • 37
  • 100
  • 175
  • there is if he's storing it in plain text :) – Ceeee Nov 24 '15 at 05:16
  • We were talking about PHP files, so it will not be in plain text. – Lajos Arpad Nov 24 '15 at 05:28
  • it is plain text to all who can access the file. if you are the admin and im the programmer i can see your password in the PHP file since i can access it. and what if there are 15 programmers taking care of the application. they can all view that password. isn't that a vulnerability? im sorry – Ceeee Nov 24 '15 at 05:31
  • 1
    You do not have to be sorry. It is never a good idea to store "yourpassword" as it is. You are arguing with me that plaintext is unsafe for passwords, yet, I never said it they are safe. Naturally, you will store an encrypted value in your PHP file or your database. We were talking about whether storing the password in PHP files are unsafe. – Lajos Arpad Nov 24 '15 at 05:35
  • 1
    yes i understand. i am just concern that the "no vulnerabilities" may think or imply to OP that the presented OP's code is already ok :) Thanks – Ceeee Nov 24 '15 at 05:41
  • That's a good point. Then, to make sure, we have to clearly state that the password needs to be encrypted wherever it is. – Lajos Arpad Nov 24 '15 at 05:42
0

If you store it in a PHP file there are no real vulnerabilities, much the same way somebody can't see your code. This would just be another case of storing a variable, if it's only 1 possible user.

Chris Evans
  • 1,235
  • 10
  • 14
0

Some of the problems i think you will encounter:

  1. Never store passwords in plain text. Hash that "honeybadgerbubblegum" using the most secure hashing algo you can so you and other people that can access your file cannot see it in plain readable text.

  2. What if that one user wants to change password? is he going to call you to hash another password for him? what if he does not want you to know his/her password? what are you going to do? (unless you are the admin).

Since you have a user membership table? for other users, why not put that admin account in the same table but instead have a tag that says that one user is the admin. like all ordinary accounts are tagged as '1' and the admin as '0'

Ceeee
  • 1,392
  • 2
  • 15
  • 32
  • I don't have a membership table for this particular project. There are only guests and an admin that wants access to an admin page to update their posts, similar to a blog. The only reason that I was thinking of this approach is that it seems like overkill to create a user table just for one admin user. – m1xolyd1an Nov 24 '15 at 03:32
  • Whatever you choose either file or database, it will have same process or weight of work. The only thing that changed was where you're storing the password. but IMHO Storing passwords/account in database is not overkill. – Ceeee Nov 24 '15 at 04:26
  • IMO there will be more vulnerability if you store admin credentials in users table, than if he stores it inside php file. The correct way is to create a separate table for admins even if it contains 1 row. – DeepBlue Jan 22 '17 at 21:22
0

Apparently you are safe, but in reality their is a vulnerability, although it is rare but it could happen! Consider the following scenario:

If PHP crashes for whatever reason then Apache will serve all php files as txt files to the public, then anyone can download your php file and see your password.

Do it the correct way: create a separate table for Admin containing 1 row and a hashed password field.

Important Notice: dont ever save admin pass in users table, this is a big vulnerability and exposes your password to wide range of sql injections.

DeepBlue
  • 684
  • 7
  • 23