Home/ Questions/Q 9013147
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-16T03:11:15+00:00

I’m building a private CMS for my own use and am at the point

  • 0

I’m building a private CMS for my own use and am at the point where I will start building out the username and password storing features. I am considering the possibility of storing all admin username, password, and user details in a multidimensional array within a PHP file, rather than using SQL to store them in a database.

My reason for wanting to use this non-traditional approach of storing user info is the belief that this will make it harder for attackers to gain unauthorized access to user info (usernames, passwords, IP addresses, etc.), because I will not be connecting to a MySQL database.

Rough Outline of Code:

add_user.php

// set the last referrer session variable to the current page 
$_SESSION['last_referrer'] = 'add_user.php';

// set raw credential variables and salt
$raw_user = $_POST['user'];
$raw_pass = $_POST['pass'];
$raw_IP = $_SERVER['REMOTE_ADDR'];
$salt = '&^${QqiO%Ur!W0,.#.*';

// set the username if its clean, else its false
$username = (is_clean($raw_user)) ? $raw_user : false; // is_clean() is a function I will build to check if strings are clean, and can be appended to an array without creating a parsing error.

// set the salted, sanitized, and encrypted password if its clean, else its false
$password = (is_clean($raw_pass)) ? $salt . encrypt($raw_pass) : false; // encrypt() is a function I will build to encrypt passwords in a specific way

// if username and password are both valid and not false
if( $username && $password ) {

    // set the users IP address
    $IP = sanitize($raw_IP);

    // create a temporary key
    $temp_key = $_SESSION['temp_key'] = random_key(); 

    // random_key() is a function I will build to create a key that I will store in a session only long enough to use for adding user info to the database.php file

    // add user details array to main array of all users
    $add_user = append_array_to_file('database.php', array($username, $password, $IP)); 

    // append_array_to_file() is a function I will build to add array's to the existing multidimensional array that holds all user credentials. 

    // The function will load the database.php file using cURL so that database.php can check if the temp_key session is set, the append_array_to_file() function will stop and return false if the database.php file reports back that the temp_key is not set.

    // The function will crawl database.php to read the current array of users into the function, will then add the current user's credentials to the array, then will rewrite the database.php file with the new array. 

    // destroy the temporary session key
    unset($_SESSION['temp_key']);
}
else {
    return false;
}

database.php

$users_credentials = array(1 => array('username' => 'jack', 
                                      'password' => '&^${QqiO%Ur!W0,.#.*HuiUn34D09Qi!d}Yt$s',
                                      'ip'=> '127.0.0.1'), 
                           2 => array('username' => 'chris', 
                                      'password' => '&^${QqiO%Ur!W0,.#.*8YiPosl@87&^4#',
                                      'ip'=> '873.02.34.7')
                          );

I would then create custom functions to mimic SQL queries like SELECT for use in verifying users trying to log in.

My Questions

  1. Is this a bad idea, and if so, why?

  2. Am I correct in thinking that this will reduce the number of possibilities for hackers trying to gain unauthorized access, sniff/steal passwords, etc., since I’m not connecting to a remote database?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I don’t see any advantage: Whether you use a text file, a mysql database or a php file ( === text file), they are all “databases” in the sense that they are files where you store your information. The difference is that an sql database is made for that stuff;

    I do see disadvantages as there are more potential holes you would have to think about. Some examples (apart from the stuff mentioned in the comments):

    • You need to take care that the password file is always out of the web-root in case php dies on you;
    • You need to avoid passing around your password file in for example source control.

    These are not things that are hard to solve, but using a normal database you don’t even have to worry about them.

    Apart from that are misunderstanding the purpose of the salt: If you just prepend it to the encrypted password, there is really no point in using a salt, you need to send it to your encrypt function to hash it with your text-password so that rainbow tables would have to be generated for each password instead of just one for your whole database. And for that reason you should also not use a single salt for all your users, each should have a different, unique salt.

    • 0