Is this simple login secure?

1648 views php
0

<?php
if (!empty($_POST['password']) && $_POST['password'] === "correct" ) {
echo "<h1 style='color:green'>Password is correct, you may enter!!!</h1>";
}else{
if (!empty($_POST['password']) && $_POST['password'] !== "correct") {
die('<h1 >Password is ICORRECT, you may not enter!!!</h1>');
}else{  
echo "Enter Password:";
echo "<form action='' method='POST'>";
echo "<input type='text' name='password'>";
echo "<input type='submit'>";
echo "</form>";
die();
}}  
?>

Aside from someone accessing your webserver and looking at the password, is there any way anyone could access your site such as a hacker, and see "Password is correct, you may enter!!!" without actually knowing the password.

And also, we can exclude stuff like SSL attacks and stuff like that.

I just want to know, on the face of it, is this login secure?

answered question

""correct"" is the hard coded password?

4 Answers

4

I vote no. Passwords should never be in codebase, especially if you are tracking code in git. Use environment variables or a database.

Here's a nice package I use a lot of environment variable loading:

https://github.com/vlucas/phpdotenv

Also never commit your env file to your repo either. :)

posted this
3

I think everything related to login credentials are posing a threat if you hard code them somewhere in your code. I would rather use a database such as MySQL with a md5 hashed password which nobody can decode.

A good approach would be to search the username and password in database and see if they match:

SELECT username,password FROM users WHERE username='username' AND password='password'

If the query returns something, then you have a match. If it doesn't then print an error message.

posted this
12

password "correct" is weak - so hacker can use dictionary-bruteforce and find it quickly

posted this
11

No, this is not a secure login.

You are right that in order to know what you were doing the hacker would have to get into the server and see the code.

However this is security through obscurity. And is not effective.

You want to practice layers in your security. You should assume that the hacker has access to your source code. You should prevent them from getting into your page even with knowing the code.

After all, how sure are you that your server won't get hacked or the source code that you put on Github doesn't get out. Or maybe an intern misconfigures the server and for Apache stops processing the php and just outputs the raw code. You want your page to secure even with all of these things happening.

posted this

Have an answer?

JD

Please login first before posting an answer.