Specifications
Storing Passwords
There are many better places to store usernames and passwords than inside the script. Inside
the script, it is difficult to modify the data. It is possible, but a bad idea to write a script to
modify itself. It would mean having a script on your server, which gets executed on your
server, but is writable or modifiable by others. Storing the data in another file on the server will
let you more easily write a program to add and remove users and to alter passwords.
Inside a script or another data file, there is a limit to the number of users you can have without
seriously affecting the speed of the script. If you are considering storing and searching through
a large number of items in a file, you should consider using a database instead, as previously
discussed. As a rule of thumb, if you want to store and search through a list of more than 100
items, they should be in a database rather than a flat file.
Using a database to store usernames and passwords would not make the script much more
complex, but would allow you to authenticate many different users quickly. It would also allow
you to easily write a script to add new users, delete users, and allow users to change their pass-
words.
A script to authenticate visitors to a page against a database is given in Listing 14.2.
L
ISTING 14.2 secretdb.php—We Have Used MySQL to Improve Our Simple
Authentication Mechanism
<?
if(!isset($name)&&!isset($password))
{
//Visitor needs to enter a name and password
?>
<h1>Please Log In</h1>
This page is secret.
<form method = post action = “secretdb.php”>
<table border = 1>
<tr>
<th> Username </th>
<td> <input type = text name = name> </td>
</tr>
<tr>
<th> Password </th>
<td> <input type = password name = password> </td>
</tr>
<tr>
<td colspan =2 align = center>
<input type = submit value = “Log In”>
</td>
E-commerce and Security
P
ART III
308
18 7842 CH14 3/6/01 3:35 PM Page 308