0

I'm completely new to the security side of things. I have a website with an admin page, admin.php that accesses several .php files which do work for me updating databases etc. So with my admin page I can secure my login using something like:

<?php

define('SALT_LENGTH', 9);

function generateHash($plainText, $salt = null)
{
    if ($salt === null)
    {
    $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
    }
    else
    {
    $salt = substr($salt, 0, SALT_LENGTH);
    }

    return $salt . sha1($salt . $plainText);
}

?>

Is that a good method above, should I be doing something extra?

The php files, say they're stored such as /phpfiles/dosomething.php how do I secure dosomething.php? Should it have a password on it? If I have a password on it how does admin.php access it?

Thanks

steve
  • 141
  • 1
  • 10
  • Good method for what? You just generate some random string for something. – zerkms Feb 11 '11 at 05:13
  • **Do not roll your own**. Use a [framework](http://www.openwall.com/phpass/). Your security is already completely broken due to your use of sha1. – user229044 Feb 11 '11 at 05:18
  • Your solution is not as bad as meagar suggests, but certainly not as strong as it could be. Openwall's phpass is actually a very good suggestion, maybe the best php solution out there. It is simple, well reviewed and has been included in some well known projects. – Jacco Feb 14 '11 at 12:56

1 Answers1

1

Generating a hash is only one part of security and authentication.

As far as access to the scripts goes, the common recommendation is to store your php files outside of the webroot. So you files can't be access using http://domain.com/youphpfile.php Instead using .htaccess redirecting all traffic to an index.php file and routing the request from there.

Depending on the size of the website you are working on have you looked into using some PHP frameworks that have Auth modules?

Alternatively, if you do have a smaller website and you only need a few scripts, consider looking into htpasswd with Apache. So you can password protect an entire directory. i.e. the admin directory in your webroot.

Jacob
  • 8,278
  • 1
  • 23
  • 29
  • With the first part, what more is there to security and authentication - can you point me in the right direction? I've got about 50 php files that will be accessed from admin.php. So you think I should use a PHP framework with Authority modules? Can you point me in the right direction for it? Should I be using http://www.openwall.com/phpass/ which was recommended by meagar? Is there anything further I should be doing? – steve Feb 12 '11 at 21:31
  • I haven't seen/used phpass before. All the major frameworks tend to have good auth modules. Zend Framework, CakePHP, CodeIgniter, Kohana. Each will have a little bit to learn up front, but are a good idea to use for most work anyway. – Jacob Feb 12 '11 at 21:40
  • I've decided to put a .htaccess file in the directory with the scripts and put the code - deny from all - in .htaccess. For my purposes it's the easiest way of going about it, it's not a complicated website I'm building and won't need many revisions. So how do I actually access the files in the directory using admin.php when the files in the directory /scripts are blocked? – steve Feb 14 '11 at 04:55
  • you would need a special script to serve the files through php, which could be making it more complicated then you need. I would consider letting apache handle it http://httpd.apache.org/docs/2.0/howto/auth.html – Jacob Feb 14 '11 at 04:59