XML PHP Login

[kvnmck18]

I actually want to create both a create account and a login. The username, passwords will be stored in xml. So this all done without sqlBut for right now I want to just work on the login part.Lets say the XML is like this:

<members><user><fname>John</fname><lname>Doe</lname><uname>jogmaster2000</uname><pass>dynamite42</pass> </user></members>

start_page.php:

<html><body><form action="login.php" method="post">UserName:<input name="username" id="username"  type="text" /><br/>Password:<input name="password" id="password"  type="text" /><br/><input name="submit" id="sumbit"  type="submit"/></form></body></html>

Any ideas?

[boen_robot]

It's a bad idea to store passwords in XML. If anyone knows the location of the XML, (s)he will be able to see all usernames and passwords in plain text. Of course finding the XML will be the harder part, but scince it will be publically available, that would still not be impossible.For secured data, using an SQL database is THE only secured way.

[kvnmck18]

You can still secure XML. (encryptions) By making the XML not available to be opened.W3.com Encryptions...and I believe banks use XML for logins.... not 100% but I think they do.

[boen_robot]

You can still secure XML. (encryptions) By making the XML not available to be opened....and I believe banks use XML for logins.... not 100% but I think they do.

And how exactly do you set the server to allow it's own CGI scripts to fetch the file and forbid all other access to it at the same time?

[kvnmck18]

Well, I was reading about it on XML.com.

[kvnmck18]

Well, boen...if you ever figure how to have the xml hidden do post it. As for now this is dead.

[aspnetguy]

You could use MD5 encryption on the passwords so even if they did find your XML they still would not have the passwords. Using MD5 and Salt would make it even harder.

[kvnmck18]

Yeah, I was thinking about something like that. But if that's possible then how do you make a XML/PHP login using encrypted passwords?

[boen_robot]

Yeah, I was thinking about something like that. But if that's possible then how do you make a XML/PHP login using encrypted passwords?

The same way you do an SQL basd login, with the only difference that instead of SQL statements you use XPath or XQuery statements.You translate the inputted value to MD5 (and Salt) and perform an XPath expression with the XML reader to find a matching login/password nodes.But again, how do you hide the XML file and still allow it's usage from local CGI scripts?I was thinkink of something like:

<Files login.xml>Order allow,denyAllow from 127.0.0.1Deny from All</Files>

As a configuration for Apache, but I'm not sure if it will work. Not to mention it has special requrements for the host (not everyone allows altering the server configuration). And also, if you're on a shared server, this allows the admins to see the password information in plain text (unless of course it's encrypted). Not only that, but it will allow other users on this server to exploit possible security holes in the server to fetch your file. This of course is applicable to MySQL too, which is why sencetive data should always be encrypted .