How Secure?

[jscheuer1]

I found this recently and was wondering how secure it is and why:

PHP Code:

<?php

// Define your username and password
$username = "someuser";
$password = "somepassword";

if ($_POST['txtUsername'] != $username || $_POST['txtPassword'] != $password) {

?>

<h1>Login</h1>

<form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
    <p><label for="txtUsername">Username:</label>
    <br /><input type="text" title="Enter your Username" name="txtUsername" /></p>

    <p><label for="txtpassword">Password:</label>
    <br /><input type="password" title="Enter your password" name="txtPassword" /></p>

    <p><input type="submit" name="Submit" value="Login" /></p>

</form>

<?php

}
else {

?>

<p>This is the protected page. Your private content goes here.</p>

<?php

}

?>

It sure works like a charm in that neither the 'protected' content nor the password may be seen via view source until after 'logon', and then only the content.

[thetestingsite]

It's only as secure as any PHP script can be. As long as only the intended user knows the login info (and you don't show the PHP source to anyone), the content will be somewhat "protected". You could use other methods as well; such as using the md5 hash for the password or even both the username and password, but that's not practical.

Anyways, just my thoughts.

[jscheuer1]

I guess part of what I am asking is -

If someone savvy who is not supposed to see the content found the page, is there any way (without the username and password) that they could download and/or view it other than 'as served'?

And, is there any way that bots could see the content.

I want to protect a list of paying customers and their email addresses so that only folks who need to use this info can see it.

[thetestingsite]

If someone savvy who is not supposed to see the content found the page, is there any way (without the username and password) that they could download and/or view it other than 'as served'?

To my understanding; no. They would need to enter the correct username/password combo (using any form pointing to your script using POST method) before being able to see the content that is "hidden".

Hope this helps.

[Twey]

Without exploiting a vulnerability in the server software, no. This is the most secure way of protecting a page there is: there are simply no features to exploit. Of course, this has its drawbacks too, but it's certainly secure.

[alexjewell]

Yeah, it's so simple it's hard to get around. Either the password and username match up, or they don't. I use this method all the time.

[djr33]

The only possible way to hack that page, without direct access to the server, is using brute force, for both the username and password, which would be very very slow, considering.

[boxxertrumps]

download and/or view it other than 'as served'?

Bruteforce any FTP access to the page. Physical access to the machince. Your host takes a peek at what his clients have under the hood. Improper permissions set and other people on your host can get to your files...
Paranoia aside, Thats as secure as it gets.

[alexjewell]

Sometimes it's better to be a bit paranoid, though. After I had this complex PHP login with sessions and sql and everything, and within a day of it being up, someone had injected a few trojans into it that downloaded on the computer of every person visiting my site...well...I learned a hard lesson. Haha.

[Twey]

Well yes, but the software installed on the server is the premise of the host and the developers of that software, not the web developer.

I had this complex PHP login with sessions and sql and everything, and within a day of it being up, someone had injected a few trojans into it that downloaded on the computer of every person visiting my site

Which is what we're saying: it's actually a lot harder to write a proper SQL-based login system securely than it is to use something simple like the above.