Jos salasana ja käyttäjätunnus ovat vaikka php-koodisssa, niiden ei pitäisi näkyä kenellekään. Mutta pääseekö osaava hakkeri niihin silti jollain yleisesti tunnetulla tavalla käsiksi. Käyttäjän syöte mennee kai salattuna https-sivulle, riittääkö se.
Tässä chat-gpt "mielipide" asiasta:
Storing authentication usernames and passwords directly in your PHP code is generally not secure and is not a recommended practice. There are several reasons why this approach is insecure:
1. Hardcoding Credentials: Storing usernames and passwords in your code means they are easily accessible to anyone who can view the source code. This is a security risk, especially if your code is publicly accessible.
2. Risk of Code Repository Exposure: If you're using a version control system like Git, it's easy to accidentally commit and push your credentials to a public repository, making them available to the world.
3. Password Security: Storing passwords in plaintext is a significant security risk. Passwords should be hashed and salted, using secure, well-established cryptographic techniques, which can't be done if they are hardcoded.
4. Maintenance Challenges: Hardcoded credentials are difficult to manage because they require code changes every time a password needs to be updated. This can lead to human errors and make it challenging to maintain your application.
5. Limited Scalability: Storing credentials in your code restricts the flexibility to use different credentials for different environments (e.g., development, testing, production) without code modification.
Instead, consider the following best practices for secure authentication:
1. Use a Configuration File: Store credentials in a separate configuration file (e.g., a JSON, INI, or environment variable file). This file should be excluded from version control and kept separate from your codebase.
2. Hash Passwords: When working with user passwords, use a secure password hashing library (e.g., PHP's password_hash()) to securely store and verify passwords.
3. Implement User Authentication: Use a user authentication system or framework (e.g., OAuth, JWT, or a dedicated library) that provides secure methods for handling user authentication.
4. Environment Variables: In a production environment, consider storing sensitive information like database credentials in environment variables, which can be securely managed at the server level.
5. Least Privilege: Ensure that your application and database have the minimum necessary permissions. Avoid using overly permissive accounts.
6. Regularly Update Credentials: Periodically update passwords and rotate access credentials to maintain security.
Remember that security is an ongoing process, and it's essential to follow best practices to protect sensitive information and user data. Hardcoding credentials in your PHP code should be avoided to maintain the security and integrity of your application.