Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
@spongessuck no what I'm saying is this is what he did
$passwords=array('thepassword');
if(in_array(strtolower(@$_POST['password']), $passwords)) {
//yay logged in
} -
Then you open wp-config.php in a WordPress directory. Never understood why all the MySQL login credentials are just sitting there in plain text.
-
@stackodev wait how do you store your DB password in PHP? Do you save like an encrypted version or smth?
-
@stackodev All I see is them defining the password :P what I wanted to ask is like when you have to connect to a database how do you store your password in the code?
-
@liammartens I'm not that advanced as a PHP dev yet. Most of my work with WP has been managing ecommerce and blogs and content using ready-made plugins. wp-config.php "just works" as far as persisting the DB credentials from my view. Sitting down over the next several days to jack into the Matrix and learn the answers to the kinds of questions you're asking.
-
@stackodev ah okay okay :P well to be fair, you can't really do anything apart from storing your db creds plain in your code somewhere. Only thing you could do is put an encrypted one but then again you'd need the decryption key as well so not much sense there
-
@liammartens the new thing is to store credentials in environment variables. That way, even if someone stole your source, the creds would be safe (unless they knew exactly what to look for)
-
cahva10138yAnd lesson learned from this rant and comments:
Any password saved in plaintext in your code is wrong. If you laughed at this rant and still have any system password or api secret key in your code, joke is on you. -
So I was checking the code for an API someone else made and the login web service literally recieves a GET request with the username and password.
Holy cow. -
@cahva shouldn't it be fine as long as the password is outside of the public directory? Or so I've heard at least (FYI this was in public directory)
-
cahva10138y@liammartens more important is not to add your passwords to the version control. If attacker gets to read your conf files using public url you're fucked already at that point.
Related Rants
-
linuxxx19Was at a friends place recently and he asked me to set a new WiFi password. Fair enough! Me: what's the route...
-
darkney5That one guy in the team, Who builds things and knows stuff about the things he has built and doesn't document...
-
GeekyAdams4Client : When do you think we can get the website done with? Me: Don't worry, I'll get it done in 3 days. ...
Oh my fucking god... I am looking at this code written by a previous developer and he put the passwords in plain in an array in a PHP file, like WHAT WHERE YOU THINKING? (btw that's also how he checks the password, just check whether it's in the array)
c'mon pls
undefined
bad developer
bad security
what we're you thinking