I'm editing web pages directly using ajax, and php with simple html dom. I dont see the point of using a database when I can do without. However, my hands go cold with fright when I think of storing admin password for the app on the webserver using serialize even though it is above htdocs, it is encrypted and I am using an anti brute force script.
I dont want to use a database just for one password but is it secure enough?
I look forward to your thoughts...
A file with the correct chmod permissions is just as secure as a database storage in this instance.
Think about it: the mysql database is actually stored in binary files on your server's filesystem. If a malicious user gains access to your server they have the same access to the binary database files as any other file, including your serialized and encrypted data in a text file.
As long as this text file isn't in a directory that's publicly accessible via the web server it's no less secure. Of course, if someone gets root access you're pretty much foobar'd either way.
What you should never do is store clear text passwords. md5() is (just) okay. sha1() has now emerged as a better option for encrypting this type of data.
Database doesn't let you have your password more secure than in file system, because in case your server gets hacked, your database password gets hacked too, which means that the admin password will be revealed in any case
If this login is and will be for you only, it's quite easier to store your password in your code/ in a file. But you have to encrypt your password to prevent hackerkiddies from reading this file and login. Please don't forget right chmods on the file ;)
As long as you aren't storing the plain-text password in the file, I don't see a problem with keeping a password hash in the actual php file.
Example using SHA1:
if(sha1($_POST['password']) == "8cb2237d0679ca88db6464eac60da96345513964") {
//success
} else {
//failure
}
you should store your "Hash" somewhere secure ( the key you're generating a password with) . it doesnt matter where you store that password if someone can get to the "hash / key", they can get to your passwords. the nice thing about a database is that it's most likely going to be easier to traverse your directory structure and find a file than it is to connect to your database, discover your table structure, then discover the values stored in a field in the database..