kvnmck18 Posted October 12, 2006 Share Posted October 12, 2006 I actually want to create both a create account and a login. The username, passwords will be stored in xml. So this all done without sqlBut for right now I want to just work on the login part.Lets say the XML is like this: <members><user><fname>John</fname><lname>Doe</lname><uname>jogmaster2000</uname><pass>dynamite42</pass> </user></members> start_page.php: <html><body><form action="login.php" method="post">UserName:<input name="username" id="username" type="text" /><br/>Password:<input name="password" id="password" type="text" /><br/><input name="submit" id="sumbit" type="submit"/></form></body></html> Any ideas? Link to comment Share on other sites More sharing options...
boen_robot Posted October 13, 2006 Share Posted October 13, 2006 It's a bad idea to store passwords in XML. If anyone knows the location of the XML, (s)he will be able to see all usernames and passwords in plain text. Of course finding the XML will be the harder part, but scince it will be publically available, that would still not be impossible.For secured data, using an SQL database is THE only secured way. Link to comment Share on other sites More sharing options...
kvnmck18 Posted October 13, 2006 Author Share Posted October 13, 2006 You can still secure XML. (encryptions) By making the XML not available to be opened.W3.com Encryptions...and I believe banks use XML for logins.... not 100% but I think they do. Link to comment Share on other sites More sharing options...
boen_robot Posted October 13, 2006 Share Posted October 13, 2006 You can still secure XML. (encryptions) By making the XML not available to be opened....and I believe banks use XML for logins.... not 100% but I think they do.And how exactly do you set the server to allow it's own CGI scripts to fetch the file and forbid all other access to it at the same time? Link to comment Share on other sites More sharing options...
kvnmck18 Posted October 13, 2006 Author Share Posted October 13, 2006 Well, I was reading about it on XML.com. Link to comment Share on other sites More sharing options...
kvnmck18 Posted October 13, 2006 Author Share Posted October 13, 2006 Well, boen...if you ever figure how to have the xml hidden do post it. As for now this is dead. Link to comment Share on other sites More sharing options...
aspnetguy Posted October 13, 2006 Share Posted October 13, 2006 You could use MD5 encryption on the passwords so even if they did find your XML they still would not have the passwords. Using MD5 and Salt would make it even harder. Link to comment Share on other sites More sharing options...
kvnmck18 Posted October 16, 2006 Author Share Posted October 16, 2006 Yeah, I was thinking about something like that. But if that's possible then how do you make a XML/PHP login using encrypted passwords? Link to comment Share on other sites More sharing options...
boen_robot Posted October 17, 2006 Share Posted October 17, 2006 Yeah, I was thinking about something like that. But if that's possible then how do you make a XML/PHP login using encrypted passwords?The same way you do an SQL basd login, with the only difference that instead of SQL statements you use XPath or XQuery statements.You translate the inputted value to MD5 (and Salt) and perform an XPath expression with the XML reader to find a matching login/password nodes.But again, how do you hide the XML file and still allow it's usage from local CGI scripts?I was thinkink of something like:<Files login.xml>Order allow,denyAllow from 127.0.0.1Deny from All</Files> As a configuration for Apache, but I'm not sure if it will work. Not to mention it has special requrements for the host (not everyone allows altering the server configuration). And also, if you're on a shared server, this allows the admins to see the password information in plain text (unless of course it's encrypted). Not only that, but it will allow other users on this server to exploit possible security holes in the server to fetch your file. This of course is applicable to MySQL too, which is why sencetive data should always be encrypted . Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now