Why is hard coding username password security threat in php?

Question

I have basic login system in php . the form on index page submits username and password to same page using POST method .The username and password are hard coded . Here is php code on index page that handles

if( isset ($_POST['submit']) ) {
$username='Admin';
$password='root';

  if(  ( $_POST['uname'] == $username ) && ( $_POST['pass'] == $password) ) {
         // Redirect to admin page
  } 
  else{
       echo "Wrong credential";
 }

}

I have referred to This question but unable to understand why hard coding is bad in these case .

my arguments

This eliminates sql injection possibility
Source code will never been seen if error reporting is off.

Hardcoding the credentials isn't the problem. The problem is when you hardcode them in plain text. If the credentials are hardcoded, you can still run both the username/password through `password_hash()` and only store the results (the hashes) in the file and then verify them using `password_verify()`. Why you can hash the username as well is because you don't need to search for the username anywhere and it will also be protected from nosy people. — M. Eriksson, Sep 28 '20 at 08:41
One argument: If the php handler is misconfigured you can see the plain text of the source. This may happen during updates of mod-apache for example. — Markus Zeller, Sep 28 '20 at 08:41
Another argument: If you use version control software like git, you would expose the credentials. — Markus Zeller, Sep 28 '20 at 08:43
hardcoding creds isn't problem, if you store it on hash, but the problem is you cant change creds without redeploying , that so bad — Jerson, Sep 28 '20 at 08:43
As written I am pretty sure you could just break it if `uname` and `pass` were to be boolean `true`. Because of how PHP tries to transform the values to be comparable, the string will become boolean true. A simple error like this would allow someone to easily bypass the authentication. — Tobias F., Sep 28 '20 at 08:45
Hardcoding will make it difficult to manage and edit your source code . — ranjit thorat, Nov 23 '20 at 07:58

score 1 · Answer 1 · answered Sep 28 '20 at 09:59

Since you are not using database this doesn't eliminates sql injection possibility. You should store username and password in database, store these thought some hashing algorithm for example SHA1, and apply "golden rule filter inputs and escape outputs".

score 0 · Answer 2 · answered Sep 28 '20 at 09:27

0

Hard coding is not a security threat. it's a bad practice. Also @tobias comment of uname or pass being Boolean is not harmful. All inputs are treated as string in php

answered Sep 28 '20 at 09:27

sagar caset

41
6

Why is hard coding username password security threat in php?

2 Answers2