TechQA.

Why is hard coding username password security threat in php?

520 views Asked by At

I have basic login system in php . the form on index page submits username and password to same page using POST method .The username and password are hard coded . Here is php code on index page that handles

if( isset ($_POST['submit']) ) {
$username='Admin';
$password='root';

  if(  ( $_POST['uname'] == $username ) && ( $_POST['pass'] == $password) ) {
         // Redirect to admin page
  } 
  else{
       echo "Wrong credential";
 }

}

I have referred to This question but unable to understand why hard coding is bad in these case .

my arguments

  1. This eliminates sql injection possibility
  2. Source code will never been seen if error reporting is off.
php websecurity
Original Q&A
2

There are 2 answers

0
Ambulance lada On

Since you are not using database this doesn't eliminates sql injection possibility. You should store username and password in database, store these thought some hashing algorithm for example SHA1, and apply "golden rule filter inputs and escape outputs".

0
sagar caset On

Hard coding is not a security threat. it's a bad practice. Also @tobias comment of uname or pass being Boolean is not harmful. All inputs are treated as string in php

Related Questions in PHP

Related Questions in WEBSECURITY

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions