You could store passwords as MD5 hashes which of course is NOT really encryption, but it would obfuscate the users' passwords. They would still be vulnerable to social engineering ("Hmm, I'll try his wife's name, then his dog's name, then his phone#," etc) and brute force ("I'm going to run every word in the pspell dictionary through MD5 and see if anything matches") attacks, but it would be better than plain text, at least.
So, instead of <user> <name>Foo</name> <password>bar</password> </user> you would have <user> <name>Foo</name> <password>37b51d194a7513e45b56f6524f2d51f2</password> </user> When 'Foo' tries to log in, you would just use MD5() on the password he entered in the web form and compare it to the value in the XML file. If it matches, he's in... otherwise, it's not the right password. I'm sure others will come up with more secure ideas, but anything is more secure than passwords in plain text. :) -Andy > -----Original Message----- > From: Chris Earle [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, July 10, 2002 9:42 AM > To: [EMAIL PROTECTED] > Subject: [PHP] Security with XML > > > I've created a db like system with XML and PHP, and I want to require a > username/password to change the contents of the file. > > How should I go about documenting the username/password? The contents of > the site aren't really all to important (no financial info or > anything like > that, mostly just links actually), but I don't want someone's information > stolen because someone found the "users.xml" file and opened it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php