How secure is this?

[Sheepoholics]

So basically I'm working with security in php and am right now testing some very basic stuff. I'm wondering if you (with a little hacking knowledge) be able to successfully get into a file. So basically this is what I have set up right now.

An Html form like so

Code:

<form action="phpfile1.php" method="post">
 <p><input type="text" name="post" /></p>
 <p><input type="submit" /></p>
</form>

which connects to a php file that looks something like this.

PHP Code:

<?

if ($name ==  seceretpassword)
{
echo "Password Correct";
} else {
echo 'Wrong Password';
}
?>

Doing a security system like this seems to be farliy secure because when you view the source phpfile1.php
all you see is the raw output of either
"Password Correct"
or
"Wrong Password"
even when you go to the page directly it will still display
"Wrong Password"
Are there any holes in this?

http://www.sheepoholics.x10hosting.c...uff/stuuf.html
is a test of it if you wanna look. (the password is not the same)

[Bryon]

Having a password stored in the actual file is one of the safest ways to keep it secure. With no database, basically the only way to find out what the password is would be to view the file's contents.

The only problem I would see here would probably be with register globals. If you placed the password into a variable, and they checked the user-supplied password against that variable, the real password could possibly be 'over-written' with whatever the person supplied.

Just a simple:

PHP Code:

if ($_POST['inputName'] == 'actualPassword']) 


Is probably the most secure way to accomplish this, and I believe that is what your doing.

So basically, your pretty secure and don't have to worry about someone gaining un-authorized access to whatever your password protecting; unless they view the file.

-Bryon

[Sheepoholics]

Alright I'll keep that in mind. Thanks

[Cynical]

So basically, your pretty secure and don't have to worry about someone gaining un-authorized access to whatever your password protecting; unless they view the file.

To avoid people from seeing the password if they view the file, store it in a PHP document ("<?PHP $pw='abcdefg'; ?>"). If they view it then it will just be a blank page .