Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

PHP

Henrik Christensen
seal-mask
.a{fill-rule:evenodd;}techdegree
Henrik Christensen
Python Web Development Techdegree Student 38,322 Points
Posted by Henrik Christensen
.a{fill-rule:evenodd;}techdegree
Henrik Christensen
Python Web Development Techdegree Student 38,322 Points

admin login

Hi,

I'm trying to make an admin page for a blog and I'm wondering if it's okay to store the admin username and password (this will be the only user) inside the php-tags or should I create a table in my database to store the username and password?

2 Answers

Kevin Korte
Kevin Korte
28,149 Points
Kevin Korte
Kevin Korte
28,149 Points

You mean like just hard code the admin login credentials?

Kevin Korte
Kevin Korte
28,149 Points
Kevin Korte
Kevin Korte
28,149 Points

I suppose you could, if this is just going to remain a super simple blog. You'll still want to make sure you're somehow authenticated to the site, and making authenticated requests to add, edit, or delete, maybe though the use of a cookie or something.

Of course though, you run the risk that by storing your username and password in plain text, if someone gets your source files, it could be game over. And that you have to remember to not check that file into any sort of version control. All of github is searchable, so people can just search for words like "password" and get back all the repos that have files checked in with the word "password" in them. Most often people try farming API keys this way by people who check their keys in.

I would keep your creds in a file of it's own, and include it in other files where it's needed. But since you're going to have a database anyway I assume, I'd at least considering taking the extra work to have a users table, and store your hashed password in the database, that's the safest way.