Hello Nathan,

Sorry, could you provide any links to read for a security noob?)
Actually, I know that the md5 is decryptable (there are bases with
words encrypted in md5), but I thought the SHA1 was secure...
With best regards from Ukraine,
Skype: Francophile
Twitter: http://twitter.com/m_elensule
Facebook: http://facebook.com/menelion

----- Original message -----
From: Nathan Rixham <nrix...@gmail.com>
To: tedd <t...@sperling.com>
Date: Thursday, August 19, 2010, 12:03:12 PM
Subject: [PHP] Re: How safe is a .htaccess file?

tedd wrote:
> Hi gang:
> The subject line says it all.
> How secure is a .htaccess file to store passwords and other sensitive 
> stuff?
> Can a .htaccess file be viewed remotely?


.htaccess is prevented from being served by configuration options (which 
come as default), however these can be overwritten so best to check by 
doing a GET on the resource URI.

This doesn't prevent them from being exposed via other processes though, 
for instance a poorly coded 'download.php?path=/path/to/.htaccess' could 
still expose the file.

Typically, its obviously better to store only a hash of a password 
rather than the pass in plain text, choosing the strongest algorithm you 
can; password security is of course relative though, a sha-512 of 
'password1' is far from secure.

A good way to approach encryption for files is to openssl_seal them 
using a public key which is only available to your application - this 
doesn't negate insecure code, but it at least ensures the raw files are 
encrypted securely enough to negate any of these worries. (just keep 
your private key safe, preferably in a pkcs12 w/a strong 64char+ pass)



PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to