Breaks if the web server generated an Index list.htaccess files, but then a config changed at the server and they were not applied. Also, sometimes these configurations are set in. when updating or reinstalling a system) and thee solutions simply vary on how robust they are to them. Surprisingly, such misconfigurations do happen from time to time, (e.g. Their differences stem on the kind of configuration error that needs to happen for it to break. The best measure to do this is to store such file on a directory outside the web root.īasically, all of the solutions 'solve' the problem, in making the password file not available. Storing the information in a commented-out part of a PHP file, so it can only be read from the back end (and will return a blank file in a web browser)Ĭompared to a database, are any of these methods more or less secure, and could they provide a reasonable level of security (about that of a database) against attackers?.Encrypting the text file with a key hard-coded into the PHP application.Giving the text file a certain file extension ( hashed_cret), and instructing the web server to return a 403 when it is requested.Security through obscurity: giving the text file a nonsense name that would be hard to guess ( hashed_password_wefhbweifvbewuivgbwueigfvu4gf.txt).However, I was wondering about the level of security this would provide using a few different methods: At first, this seems like it would be very insecure, since one could guess at the name of the file and open it via a web browser ( ). Say I have a hypothetical PHP application which will store hashed passwords in a file in the same directory.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |