Welcome to the Treehouse Community

The Treehouse Community is a meeting place for developers, designers, and programmers of all backgrounds and skill levels to get support. Collaborate here on code errors or bugs that you need feedback on, or asking for an extra set of eyes on your latest project. Join thousands of Treehouse students and alumni in the community today. (Note: Only Treehouse students can comment or ask questions, but non-students are welcome to browse our conversations.)

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and a supportive community. Start your free trial today.

JavaScript

Jack Dinker
PLUS
Jack Dinker
Courses Plus Student 1,374 Points

What are security implications for storing password vals in variables $password & $confirm_password?

This maybe outside the scope of this tutorial, but are there any security implications for storing password information in variables? Is this a bad practice thats overlooked just for the sake of teaching?

2 Answers

Ferdinand Pretorius
Ferdinand Pretorius
18,705 Points

This is a very broad question, and it might be more useful to narrow down exactly what you want to accomplish, however i will try and help by assuming you want to save the value for use during a particular user session:


You are actually not storing the password in the session rather just storing the information that this particuar user has already logged in.

$_SESSION['pass_ok']='1';

On every page you just have to do a session_start() and check if this session is already set to 1, if yes they assume him to be logged and proceeed, else redirect to login page.

If someone gets hold of the session id then they definitely can access the user session. You can do a few things to make it more secure.

  • Use SSl (https), it will make hard to sniff the data and get your session id
  • Maintain the client ip in the session when user logs in, for every request after logging in, check if the requests are coming from same ip
  • Set a short session timeout, so that if left idle for a while the session times out automatically.

Saving passwords in a variable to pass on to a database is obviously a big no, as they can be retrieved using nothing but a web browser.
Saving passwords in a variable before you hash and salt it is also not a great idea, as anyone obtaining access to a users session can access the variable and will be able to see the password.

Basically stick to the well established methods of passing on encrypted information.

Even if you follow all best practices and store safely parsed hashes with added salt in a database, someone could still obtain access to the database and use a "rainbow sheet" or run a brute force decrypt algorithm against your data and there will be a small chance they can will be able to work out your users passwords.

There is no 100% save way. But it's always a good idea to stick to best practices.

I hope this helps!

Excellent way to put it!

I'm sure there are others here who are much more versed in security issues than I am, but here's my opinion, to start the conversation.

As long as by "storing in variables" you mean while a program is being executed on a server, I can't see much of any security risk. Further, how would you go about checking a user-supplied username password pair without storing them in variables? What we are warned about is inadvertently taking in unwanted stuff via query strings, text boxes, etc., so I always check any user-supplied data before using it, and stuff entered into user name and password text fields is as user-supplied as any other.

If you mean storing them in variables to pass on to a database for storage, then, yes, but it's the database that's the problem, not the PHP program doing the storing. Here there's a big issue, as md5, SHA-1, etc., some of the common encryption algorithms supported by mySQL and other DBMSs, are very easy to break.