You could store passwords as MD5 hashes which of course is NOT really
encryption, but it would obfuscate the users' passwords. They would still
be vulnerable to social engineering ("Hmm, I'll try his wife's name, then
his dog's name, then his phone#," etc) and brute force ("I'm going to run
every word in the pspell dictionary through MD5 and see if anything
matches") attacks, but it would be better than plain text, at least.
So, instead of
<user>
<name>Foo</name>
<password>bar</password>
</user>
you would have
<user>
<name>Foo</name>
<password>37b51d194a7513e45b56f6524f2d51f2</password>
</user>
When 'Foo' tries to log in, you would just use MD5() on the password he
entered in the web form and compare it to the value in the XML file. If it
matches, he's in... otherwise, it's not the right password.
I'm sure others will come up with more secure ideas, but anything is more
secure than passwords in plain text. :)
-Andy
> -----Original Message-----
> From: Chris Earle [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, July 10, 2002 9:42 AM
> To: [EMAIL PROTECTED]
> Subject: [PHP] Security with XML
>
>
> I've created a db like system with XML and PHP, and I want to require a
> username/password to change the contents of the file.
>
> How should I go about documenting the username/password? The contents of
> the site aren't really all to important (no financial info or
> anything like
> that, mostly just links actually), but I don't want someone's information
> stolen because someone found the "users.xml" file and opened it.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
